Summary

Netsky.Y is a 18944 byte mass-mailing e-mail worm and is runtime protected by PE-Pack Version 1.0, a very old PE-Executable-Runtime-Packer from Germany.

Installation and Autostart Techniques

Upon execution, the worm copies itself to the Windows folder as "FirewallSvr.exe". This filename is encrypted and stored in the worm. A 25962 byte file is created in the Windows folder with a vulgar file name that ends with "_bagle.txt". The file is MIME encoded and is attached to the e-mails the worm sends out.

Netsky.Y creates a mutex "____--->>>>U<<<<--____" to avoid running multiple instances of itself on one machine.

The following key is added to the registry to ensure automatic startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"FirewallSvr" = "%WINDOWS%\FirewallSvr.exe"

The registry key is encrypted within the worm using the same algorithm as is used for encrypting the URL strings, the filename, and the file extension strings.

The worm contains several encrypted strings inside:

ooo.nqcuk.uf ---> www.educa.ch
ooo.anqbmvw.cvh.nqc ---> www.medinfo.ufl.edu
ooo.mbebz.qn ---> www.nibis.de

If the system date is between 28th April and 30th April 2004 the worm tries to perform a Denial of Service (DoS) attack against the aforementioned web servers by using three threads that send data to port 80 of the target web servers.

The worm opens a TCP/IP port (82) and listens for incoming executable files which are executed directly after they've been received. This enables the worm to update files and install more malicious files on the compromised system.

Netsky.Y scans all hard drives and harvests email addresses from files with any of the following extensions:

*.eml, *.txt, *.php, *.asp, *.wab, *.doc, *.sht, *.oft, *.msg, *.vbs, *.rtf, *.uin, *.shtm,
*.cgi, *.dhtm,*.adb, *.tbb, *.dbx, *.pl, *.htm, *.html, *.jsp, *.wsh, *.xml, *.cfg,
*.mbx, *.mdx, *.mht, *.mmf, *.nch, *.ods, *.stm, *.xls, *.ppt

The file extensions are encrypted and stored inside the worm as previously discussed. The worm only scans fixed disks, by enumerating and examining the drive types via GetDriveTypeA API. This is done to skip CD-ROM and removable Drives such as Floppy Disks which may seek and ask for a valid medium.

DNS Resolving

The worm attempts to use the default DNS server to retrieve the IP address of the email servers. If this fails DNS Queries will be sent to servers with the following IP's:

212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.2.129
193.193.144.12
212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8

If the e-mail address matches whatever@domain.de, it will first attempt to retrieve the IP address of the server domain.de before it uses one of the static DNS servers listed above.

e-Mail Subjects, Message Bodies and Attachments

The worm propagates with spoofed/faked addresses and uses its own SMTP engine. Copies are sent to hukanmikloiuo@yahoo.com. The attachment has the extension ".com" in order to trick victims into thinking that the attachment is a URL, rather than an executable file which will run if opened.

History: Analysis and Write-up by: Michael St. Neitzel

© 1992-2005 Eset All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.