Tuesday, October 16, 2012

Win32/NetSky.Q

Win32/NetSky.Q

Win32/NetSky.Q is an internet worm spreading via e-mail messages, P2P networks or shared network drives.
Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%
The worm is in an executable that is nearly 29 kiobytes long. Upon execution it copies itself into the %windir% directory using the name "FVProtect.exe".
It also creates a file called "userconfig9x.dll", that is 26 kB long. This dynamic library file is then executed.

In order to be run every time the Windows starts, the worm creates Registry entry called "Norton Antivirus AV" in the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The new entry contains the path to "FVProtect.exe".

The following Registry entries are removed by the worm:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jijbl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sentry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe
This way, some older worms can be deactivated, if present on the system.

The following files are created in the %windir% directory: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.
These are used when the e-mail messages are composed.

The worm searches all local disks for directories, that contain some of the following strings in their names:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
The messages used for spreading the worm are composed using a long list of strings. The address of the sender is either randomly picked from the harvested addresses, or it may be one of the addresses contained in the worm:
abuse@gov.us
noreply@paypal.com
support@symantec.com
Subject of the message is chosen from the list below:
-do0-i4grjj40j09gjijgp
0i09u5rug08r89589gjrg
Administrator
approved
Congratulations!
corrected
Do you?
Body of the e-mail contains one of the following messages, but it can also be blank.
9u049u89gh89fsdpokofkdpbm3-4i
Are you a spammer? (I found your email on a spammer website!?!)
Authentication required.
Bad Gateway: The message has been attached.
Best wishes, your friend.
Binary message is available.
Can you confirm it?
Congratulations!, your best friend.
Delivered message is attached.
Do not visit this illegal websites!
Encrypted message is available.
The attachment can either be an executable or a ZIP archive. If it's an EXE file, it has two extensions. The first one is either ".doc" or ".txt",
and the other is ".exe", ".scr" or ".pif".

If the attachment is a ZIP archive, its extension is ".zip". The archive contains the Win32/Netsky.Q executable. The file inside the archive can have three different names:
document.txt .exe
data.rtf .scr
details.txt .pif



No comments:

Post a Comment