Netsky.p: Prevention and cure

by Guest Contributor | Mar 23, 2004 2:03:00 PM

Takeaway: Here's how to Control the latest variation of the Netsky worm

By Robert Vamosi

This worm could automatically execute on some Windows systems

(March 22, 2004)

The latest variation of the Netsky Internet worm automatically executes without the user having to open the attached file. Netsky.p (w32.netsky.p@cnet.com) takes advantage of the Incorrect MIME header in Internet Explorer, the app that renders HTML e-mail for Microsoft Outlook. A patch to correct this IE flaw has been available from Microsoft since 2001. Netsky.p also spreads via shared network files. This worm will attempt to delete Registry keys from infected computers. Netsky.p does not affect users of Linux, the Mac OS, or Unix. Because Netsky.p spreads via e-mail and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
Netsky.p arrives via e-mail using a spoofed e-mail address as the sender. The subject is taken from one of the following choices:

Stolen document
Re:Hello
Mail Delivery
Private document
Re:Notify
Re:document
Re:Extended Mail System
Re:Proctected Mail System
Re:Question
Private document
Postcard

The body text is taken from the following list:

I found this document about you.
I have attached it to this mail.
Waiting for authentification.
Please confirm!
Protected message is available
Do not visit this illegal websites!
Here is my phone number.
I cannot believe that.
Your file is attached.
For further details see that attachment.
Congratulations!, your best friend.
Greetings from france, your friend.
If the message will not displayed automatically, follow the link to read the delivered message.
Received message is available at: (a bogus URL)

The attached file is a zip file. Netsky.p also searches shared file directories that use the following words:

shared files
kazaa
mule
donkey
morpheus
lime
bear
icq
shar
upload
http
htdocs
ftp
download
my shared folder

According to McAfee, once executed, Netspky.p copes itself as FVProtect.exe and adds the following files to the Windows file folder:

userconfig9x.dll (26,624)
base64.tmp (UUEncoded worm)
zip1.tmp (a worm zip archive)
zip2.tmp (a worm zip archive)
zip3.tmp (a worm zip archive)
zipped.tmp (a worm zip archive)

The worm sends copies of itself to e-mail addresses found on the infected PC.

Netsky.p also creates the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Norton Antivirus AV" = [[Windows folder]]\FVProtect.exe

Netsky.p deletes the following Registry keys if present:

HKEY_LOCAL_MACHINE\System\CurrentControlSet Services\WksPatch
HKEY_CURRENT_USER\Software\Microsoft\Windows CurrentVersion\Explorer\PINF
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87- 00AA005127ED}InProcServer32

Netsky.p uses an Internet Explorer vulnerability from 2001, MS01-020, to execute automatically; however, automatic execution should affect only users still running unpatched versions of Internet Explorer 5.01 or 5.5.

Prevention
Users of Internet Explorer 5.01 or 5.5 are urged to patch their software if they haven't done so already.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Sophos, Symantec, and Trend Micro.