What is the Netsky.C worm?

Netsky.C is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. This worm also searches drives C through Y for the folder names containing "Shar" and then copies itself to those folders.

The Subject, Body, and email attachment vary.

Also known as: W32/Netsky.c@MM, Win32.Netsky.C, W32/Netsky-C, WORM_NETSKY.C, I-Worm.Moodown.c

How Does the Netsky.C Worm Infect My Computer?

When Netsky.C runs, it does the following:

1. Creates a mutex named "[SkyNet.cz]SystemsMutex." This mutex allows only one instance of the worm to execute.
   
2. Copies itself as %Windir%\Winlogon.exe.
   
3. Adds the value:
   
   "ICQ Net" = "%Windir%\winlogon.exe -stealth"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm runs when you start Windows.
   
4. Deletes the values:
   
   • Taskmon
   • Explorer
   • Windows Services Host
   • KasperskyAV
     
     from the registry keys:
     
   • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
5. Deletes the values:
   
   • System.
   • msgsvr32
   • DELETE ME
   • service
   • Sentry
     
     from the registry key:
     
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
6. Deletes the values:
   
   • d3dupdate.exe
   • au.exe
   • OLE
     
     from the registry key:
     
     HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
7. Deletes the value:
   
   System.
   
   from the registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
   RunServices
   
8. Deletes the registry keys:
   
   • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
     InProcServer32
   • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
     Explorer\PINF
   • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch
     
9. Retrieves email addresses from the files on the computer whose suffix contains one of the following extensions:
   
   • .eml
   • .txt
   • .php
   • .pl
   • .htm
   • .html
   • .vbs
   • .rtf
   • .uin
   • .asp
   • .wab
   • .doc
   • .adb
   • .tbb
   • .dbx
   • .sht
   • .oft
   • .msg
   • .shtm
   • .cgi
   • .dhtm
     
10. Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once. The worm uses the local DNS server (retrieved via an API), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:
    
    • 145.253.2.171
    • 151.189.13.35
    • 193.141.40.42
    • 193.189.244.205
    • 193.193.144.12
    • 193.193.158.10
    • 194.25.2.129
    • 194.25.2.130
    • 194.25.2.131
    • 194.25.2.132
    • 194.25.2.133
    • 194.25.2.134
    • 195.185.185.195
    • 195.20.224.234
    • 212.185.252.136
    • 212.185.252.73
    • 212.185.253.70
    • 212.44.160.8
    • 212.7.128.162
    • 212.7.128.165
    • 213.191.74.19
    • 217.5.97.137
    • 62.155.255.16
      
11. Searches drives C through Y for the folder names containing the words "Shar." If the drive is not a CD-ROM, then the worm will copy itself to the matching folders, and all the subfolders below it, as the following:
    
    • Microsoft WinXP Crack.exe
    • Teen Porn 16.jpg.pif
    • Adobe Premiere 9.exe
    • Adobe Photoshop 9 full.exe
    • Best Matrix Screensaver.scr
    • Porno Screensaver.scr
    • Dark Angels.pif
    • XXX hardcore pic.jpg.exe
    • Microsoft Office 2003 Crack.exe
    • Serials.txt.exe
    • Screensaver.scr
    • Full album.mp3.pif
    • Ahead Nero 7.exe
    • Virii Sourcecode.scr
    • E-Book Archive.rtf.exe
    • Doom 3 Beta.exe
    • How to hack.doc.exe
    • ......
      
12. The email has the following characteristics:
    
              From: (Spoofed)
    
              Subject: (67% of the time, it will be taken from the following list. The rest of the time, the Subject may be taken from the list of the Message bodies below. The Subject can also be a blank line.)
    • Delivery Failed
    • Status
    • report
    • ......
      
      Message: (One of the following, but could be blank)
    • <Deliver Error>
    • <Message Error>
    • <Server Error>
    • ......
      
      Attachment:
      W32.Netsky.C@mm will create a .zip file as the attachment for 51.5% of the time, randomly selecting one of the Attachment Names below. The archive contains an executable copy of the worm, which also randomly selects the Attachment Names below. There is a 25% chance that the attachment name will be constructed as follows: attachment_attachment (e.g. document_msg).
      
      For the remaining time, the worm uses a copy of itself as the attachment, and randomly selects one of the Attachment Names below.
      
      Attachment Name: (One of the following)
    • document
    • associal
    • msg
    • ......
      
      Extensions:
      If the attachment is an executable file, the worm will create a double extension for 46.2% of the time. If the attachment is a .zip file, then the executable within the .zip will have a double extension for 67% of the time. The first variable extension in these cases will be one of the following:
      
    • .txt
    • .rtf
    • .doc
    • .htm
      
      All the executables will end with one of the following extensions:
      
    • .exe
    • .scr
    • .com
    • .pif
      
13. The worm avoids sending to email addresses which contain any of the following strings:
    
    • icrosoft
    • antivi
    • ymantec
    • spam
    • avp
    • f-secur
    • itdefender
    • orman
    • cafee
    • aspersky
    • f-pro
    • orton
    • fbi
    • abuse
      
14. Creates .zip files in the %Windir% folder, which contain copies of the worm. The names of these files match the above Attachment Names.
    
15. If the local system time is between 6:00 AM and 9:00 AM on February 26, 2004, the computer speaker will continuously beep.

How to Remove the Netsky.C Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Netsky.C during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Netsky.C worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Updating the Virus Definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

3. Identifying the Virus Program

1. Scan your system with your Kaspersky antivirus products.
2. NOTE all files detected as NETSKY.C.

4. Terminating the Running Program

1. Open Windows Task Manager.
   On Windows 95/98/ME systems, press
   CTRL+ALT+DELETE
   On Windows NT/2000/XP systems, press
   CTRL+SHIFT+ESC, then click the Processes tab.
2. In the list of running programs*, locate the malware file or files detected earlier.
3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. Do the same for all detected malware files in the list of running processes.
5. To check if the malware process has been terminated, close Task Manager, and then open it again.
6. Close Task Manager.

5. Removing Autostart Entries from the Registry

1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
2. In the left panel, double-click the following:
   HKEY_LOCAL_MACHINE>Software>Microsoft>
   Windows>CurrentVersion>Run
3. In the right panel, locate and delete the entry:
   ICQ Net = "%Windows%\winlogon.exe -stealth"

6. Restoring Deleted Registry Key

1. In the left panel of Registry Editor, double-click to the following subkey: HKEY_CLASSES_ROOT>CLSID>{E6FB5E20-DE35-11CF-9C87-
   00AA005127ED}
2. Right-click the subkey, select New, and then click Key.
3. Type InProcServer32 to name the new key.
4. In the right panel, right-click (Default) and click Modify.
5. Under Value Data, type the following string:
   %SystemRoot%\System32\webcheck.dll
6. Click OK.
7. Close Registry Editor.

1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
2. Run a full system scan.
3. If any files are detected as infected with Netsky.C, click Delete.

How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
4. Keep your permanent antivirus protection enabled at all times.

Do you think this website is useful? Help us to keep the site growing.

Detect and Removal Instruction for Other Variants: