What
is the Netsky.Q worm?
- Is a mass-mailing worm that consists of two
components: a dropper and a mass-mailing
component.
- Uses its own SMTP engine to send itself to
the email addresses it finds when scanning the
disk drives.
- Uses the Incorrect
MIME Header Can Cause IE to Execute E-mail
Attachment vulnerability to cause
unpatched systems to auto execute the worm
when reading or previewing an infected
message.
The From line of the email is spoofed, and its
Subject line and message body vary. The
attachment name also varies and has a .exe, .pif,
.scr, or .zip file extension.
Also
known as: WORM_Netsky.Q, W32/Netsky.Q@MM, W32/Netsky.Q.worm, Win32.Netsky.Q
How
Does the Netsky.Q Worm Infect My Computer?
When Netsky.Q runs, it does the following:
- Copies itself as %Windir%\SysMonXP.exe
(28,008 bytes).
- Drops the file, %Windir%\Firewalllogger.txt
(23,040 bytes).
- If the dropper's file name is %Windir%\SysMonXP.exe,
the worm will launch notepad.exe to open a
file, temp.eml.
- Loads the .dll file, Firewalllogger.txt, and
then executes it.
- Creates a mutex named "_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_",
which allows only one instance of the worm to
execute.
- Adds the value:
"SysMonXP"="%Windir%\SysMonXP.exe"
to the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the dropper component of the worm runs
when you start Windows.
- The worm may drop the following temporary
files for its internal purposes:
- %Windir%\base64.tmp (38,382 bytes)
- %Windir%\zippedbase64.tmp: A .zip file
that contains the worm (28,330 bytes).
- %Windir%\zipo0.txt: A .zip file that
contains the worm (38,834 bytes).
- %Windir%\zipo1.txt: A .zip file that
contains the worm (38,822 bytes).
- %Windir%\zipo2.txt: A .zip file that
contains the worm (38,826 bytes).
- %Windir%\zipo3.txt: A .zip file that
contains the worm. (38,826 bytes).
- Deletes the values:
- Explorer
- system.
- msgsvr32
- au.exe
- winupd.exe
- direct.exe
- jijbl
- Video
- service
- DELETE ME
- d3dupdate.exe
- OLE
- Sentry
- gouday.exe
- rate.exe
- Taskmon
- Windows Services Host
- sysmon.exe
- srate.exe
- ssate.exe
- Microsoft IE Execute shell
- Winsock2 driver
- ICM version
- yeahdude.exe
- Microsoft System Checkup
from the registry keys:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\RunServices
in an attempt to uninstall other worms
that may be on an infected computer.
- Deletes the following subkeys:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\PINF
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
- HKEY_CLASSES_ROOT\CLSID\CLSID
\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
- Launches a separate thread that enumerates
all the disk drives and retrieves email
addresses from the files with the following
extensions:
- .a
- .ad
- .adb
- .as
- .asp
- .c
- .cf
- .cfg
- .cg
- .cgi
- .d
- .db
- .dbx
- .dh
- .dht
- .dhtm
- .do
- .doc
- ......
The worm avoids sending to the email
addresses that contain any of the
following strings:
- @antivi
- @avp
- @bitdefender
- @fbi
- @f-pro
- @freeav
- @f-secur
- @kaspersky
- @mcafee
- @messagel
- @microsof
- @norman
- @norton
- @pandasof
- @skynet
- @sophos
- @spam
- @symantec
- @viruslis
- abuse@
- noreply@
- ntivir
- reports@
- spam@
- Uses its own SMTP client engine to send
itself to the email addresses it finds.
- Checks the system time and date. When the
time is 5:11AM on March 30, 2004, it starts
beeping.
- If the system date is April 8th, 2004
through April 11th, 2004 it will attempt to
perform a Denial of Service (DoS) attack
against the following sites:
- www.edonkey2000.com
- www.kazaa.com
- www.emule-project.net
- www.cracks.am
- www.cracks.st
- The DOS attack happens as follows:
- The worm creates 80 threads and each
thread randomly selects one of the above
five sites (in step 13) by name.
- Each thread attempts to make a
connection to the selected site.
- If the connection fails, the thread
retries every 45 minutes to connect, until
successful.
- If successful, it will send an empty GET
request (no check for ACK).
The request is:
GET / HTTP/1.1\r\nHost: <sitename>[two
blank lines]
For example:
GET / HTTP/1.1\r\nHost: www.cracks.st
- The thread closes the connection, waits
for 250 milliseconds and performs step b
again.
How to Remove the Netsky.Q Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Netsky.Q during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps in removing the Netsky.Q worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Updating the Virus Definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Identifying the Virus Program
- Scan your system with your Kaspersky antivirus products.
- NOTE all files detected as Netsky.Q.
4. Terminating the Running Program
- Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
- In the list of running programs*, locate the
malware file or files detected earlier.
- Select one of the detected files, then press
either the End Task or the End Process button,
depending on the version of Windows on your
system.
- Do the same for all detected malware files
in the list of running processes.
- To check if the malware process has been
terminated, close Task Manager, and then open
it again.
- Close Task Manager.
5. Removing Autostart Entries from the
Registry
- Open Registry Editor. To do this,
click Start>Run, type Regedit, then press
Enter.
- In the left panel, double-click the
following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
- In the right panel, locate and delete the
entry or entries:
SysMonXP = "C:\Windows\SysMonXP.exe"
Note: %Windows% is the default Windows
folder, usually C:\Windows or C:\WINNT.
- Close Registry Editor.
6. Run a full system scan and delete all the
files detected as Netsky.Q.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with Netsky.Q,
click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Detect and Removal Instruction for Other
Variants:
|
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)