W32/Netsky.C@mm, I-worm.netsky.C@mm

Netsky.C es un gusano de Correo y redes compartidas Peer to Peer, variante de la familia Netsky, reportado el 25 de Febrero del 2004, que se propaga con un archivo de nombre aleatorio de doble extensión, o uno de extensión .ZIP que contiene esos mismos archivos. 

En caso que el sistema esté infectado con los virus Mydoom y Mydoom.B los desactiva borrando los valores de sus llaves de registro.

Emplea la técnica Email spoofing, que disfraza las verdaderas direcciones de los Remitentes, los Asuntos y Contenidos son aleatorios y los archivos Anexados son construidos de unas listas con nombres y dobles extensiones. 

Es un PE (Portable Ejecutable) e infecta Windows 95/98/NT/Me/2000/XP, incluyendo los servidores NT/2000/XP, está desarrollado en Visual C++ con una extensión de 25 KB y comprimido con el utilitario Petite Win32 Executable Compressor:

http://www.un4seen.com/petite

Posee su propio SMTP (Simple Mail Transfer Protocol) y se envía a todas las direcciones de correo del sistema infectado, contenidas en archivos con las siguientes extensiones:

• eml
• txt
• php
• pl
• htm
• html
• vbs
• rtf
• uin
• asp
• wab
• doc
• adb
• tbb
• dbx
• sht
• oft
• msg
• shtm
• cgi
• dhtm

Los mensajes tienen estas características:

Remitente, usa la técnica Spoofing con nombres de Remitentes falsos.

Asunto, uno de los siguientes:

• Delivery Failed
• Status
• report
• question
• trust me
• hey
• Re: excuse me
• read it immediatelly
• hi
• Re: does it?
• Yep
• important
• hello
• dear
• Re: unknown
• fake?
• warning
• moin
• what's up?
• info
• Re: information
• Here is it
• stolen
• private?
• good morning
• illegal...
• error
• take it
• re:
• Re: Re: Re: Re:
• you?
• something for you
• exception
• Re: hey
• excuse me
• Re: hi
• Re: does it?
• Re: important
• Re: hello
• believe me
• Question
• denied!
• notification
• Re: [5664ddff?$??º2]
• lol
• last chance!
• I'm back!
• its me
• notice!

Contenido, uno de los siguientes:

• [Deliver Error]
• [Message Error]
• [Server Error]
• what means that?
• help attached
• [...]
• ok...
• [Attachment from Poland]
• that is interesting...
• i wait for your comment about it.
• such as yours?
• read the details.
• gonna?
• here is the document.
• *lol*
• read it immediately!
• i found that about you!
• your hero in the picture?
• yours?
• here is it.
• illegal st. of you?
• is that true?
• account?
• is that your name?
• picture?
• message?
• is that your account?
• pwd?
• I wait for an answer!
• abuse?
• is that yours?
• you are a bad writer
• I don't know your document!
• [Mail failed]
• I have your password!
• you won the rk!
• something about you!
• classroom test of you?
• kill the writer of this document!
• old photos about you?
• i hope thats not true!
• your name is wrong!
• does it match?
• i found this document about you.
• time to fear?
• really?
• do you know this????
• i know your document!
• did you sent it to me?
• this file is bad!
• why should I?
• pages?
• her.
• another pic, have fun! ... :-]
• test it
• child porn?
• greetings
• xxx ?
• stuff about you?
• your document is not good
• something is going wrong!
• your photo is poor
• information about you?
• the information is wrong!
• doc about me?
• kill him on the picture!
• from the chatter (my photo!)
• from your lover ;-)
• love letter?
• here, the serials
• are you a teacherin the picture?
• here, the introduction
• is that criminal?
• here, the cheats
• i like your doc!
• what do you think about it?
• that's a funny text.
• that's not the truth?
• do you have?
• instruct me about this!
• i lost that
• i am speachless about your document!
• is that the reality?
• reply
• msg
• your design is not good!
• important?
• your TAN number?
• take it easy!
• why?
• you are naked in this document!
• thats wrong!
• your icq number?
• i am desperate
• modifications?
• your personal record?
• yes.
• misc. and so on. see you!
• your attachment? verify it.
• you earn money, see the attachment!
• is that your attachment?
• is that your website?
• you feel the same.
• meaning of that?
• possible?
• you have tried to steal!
• did you ask me for that?
• you are bad
• your job? (I found that!)
• is that possible?
• something is going ...
• something is not ok
• did you know from this document?
• wrong calculation! (see the attachment!...
• never!
• poor quality!
• good work!
• excellent!
• great!
• i don't think so.
• pretty pic about you?
• docs?
• schoolfriend?
• [Warning from the Government]
• [09580985869gj]
• [?}
• i want more...
• here is the next one!
• attachi#
• did you see her already?
• is that your wife?
• is that your creditcard?
• is that your photo?
• do you think so?
• do you have the bug also?
• already?
• forgotten?
• drugs? ...
• does it matter?
• i have received this.
• best?
• the truth?
• your body?
• your eyes?
• your face?
• File is self-decryting.
• File is damaged.
• File is bad.
• i saw you last week!
• xxx service
• your account is expired!
• you cannot hide yourself! (see photo)
• copyright?
• what still?
• who?
• how?
• [bad gateway]
• only encrypted!
• personal message!
• my advice....
• i've found it about you
• [[[Failure]]]
• [Attached Msg]
• [scanned by norton antivirus]
• great xxx!
• man or women?
• child or adult?
• here is yours!
• a crazy doc about you
• xxx about you?
• i don't want your xxx pics!
• [Failed message available]
• [Automailer]
• doc?
• trial?
• what?
• ;-)
• i need you!
• correct it!
• see this!
• it's a secret!
• this is nothing for kids!
• it's so similar as yours!
• is that your car?
• do not give up!
• great job!
• here is the $%%454$
• you are sexy in this doc!
• incest?
• let it!
• you look like an ape!
• you look like an rat?
• be mad?
• are you cranky?
• bob the builder
• did you know that?
• money?
• is that your car?
• is this information about you?
• is that your privacy?
• is that your TAN?
• is that your message?
• is that your cd?
• is that your finger?
• your are naked?
• is that your porn pic?
• is that your work?
• is that your family?
• is that your beast?
• is that your account?
• is that your slip?
• is that your domain?
• are you the naked one?
• are you the naked person!
• are you the one?
• does it belong to you?
• do you have sex in the picture?
• you have a sexy body in the pic!
• your lie is going around the world!
• [Transfer complete]
• [Antispam complete]
• lets talk about it!
• do you know the thief?
• are you a photographer?
• you have done a mistake in the document...
• its private from me
• do not show this anyone!
• new patch is available!
• this is an attachment message!
• in your mind?
• Microsoft
• fast food...
• Your bill.
• try this patch!
• do you have an orgasm in the picture?
• [Click the attachment to decrypt]
• [Attachment Signature 34933920]
• Transaction failed. Show the doc!
• I 've found your bill!
• see your name!
• You are infected. Read the details!
• here is my advice.
• here is my photo!
• here is the [censored]
• feel free to use it.
• does it belong to you?
• Login required! Read the attachment!
• your document is silly!
• is the pic a fake?
• Antispam is turned off. See file!
• Authentification required. Read the att...
• solve the problem!
• [null]
• do not use my document!
• do not open the attachment!
• do not visit the pages on the list I se...
• explain!
• tell me more about your document!
• Your provider will be disabled!
• Instant patches.

Anexado, elegidos aleatoriamente de la siguiente lista:

• document
• associal
• msg
• yours
• doc
• wife
• talk
• message
• response
• creditcard
• description
• details
• attachment
• pic
• me
• trash
• card
• stuff
• poster
• posting
• portmoney
• textfile
• moonlight
• concert
• sexy
• information
• news
• note
• number_phone
• bill
• mydate
• swimmingpool
• class_photos
• product
• old_photos
• topseller
• ps
• important
• shower
• myaunt
• aboutyou
• yours
• nomoney
• birth
• found
• death
• story
• worker
• mails
• letter
• more
• website
• regards
• regid
• friend
• unfolds
• jokes
• doc_ang
• your_stuff
• location
• 454543403
• final
• schock
• release
• webcam
• dinner
• intimate stuff
• sexual
• ranking
• object
• secrets
• mail2
• attach2
• part2
• msg2
• disco
• freaky
• visa
• party
• material
• misc
• nothing
• transfer
• auction
• warez
• undefinied
• violence
• update
• masturbation
• injection
• naked1
• naked2
• tear
• music
• paypal
• id
• privacy
• word_doc
• image
• incest

La primera extensión que necesariamente no es visible es elegida de:

• .rtf
• .htm
• .doc
• .txt 

La segunda extensión es una de las siguientes:

• .scr
• .com
• .exe
• .pif

Estos archivos anexados también pueden estar contenidos en uno con extensión .ZIP

Al ser ejecutado aleatoriamente muestra esta falsa caja de diálogo:

Luego el gusano crea un mutex (Exclusión Mutua) denominado [SkyNet.cz]SystemsMutex para evitar ser ejecutado en memoria más de una vez. 

Se auto-copia al directorio %Windir% con el nombre Winlogon.exe y para ejecutarse la próxima vez que se inicie el sistema crea la siguiente llave de registro:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe -stealth"

%Windir% es una variable que corresponde a C:\Windows en Windows 95/98/Me/XP/Server 2003 y C:\Winnt en Windows NT\2000. 

El gusano borra los siguientes valores asociados a los gusanos Mydoom y sus variantes:

• Sentry
• OLE
• service
• au.exe
• d3dupdate.exe
• DELETE ME
• msgsvr32
• Taskmon
• Explorer
• Windows Services Host

de las llaves de registro:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] 

Del mismo modo borra los valores KasperskyAV y System de la llave:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 

Para propagarse a través de las redes Peer to Peer se copia a las carpetas de descarga que tengan la cadena de texto shar, que corresponden a Kazaa, BearShare, eDonkey, Morpheus, Grokster, LimeWire., etc. en caso de estar instaladas, con los siguientes nombres:

• Microsoft WinXP Crack.exe
• Teen Porn 16.jpg.pif
• Adobe Premiere 9.exe
• Adobe Photoshop 9 full.exe
• Best Matrix Screensaver.scr
• Porno Screensaver.scr
• Dark Angels.pif
• XXX hardcore pic.jpg.exe
• Microsoft Office 2003 Crack.exe
• Serials.txt.exe
• Screensaver.scr
• Full album.mp3.pif
• Ahead Nero 7.exe
• Virii Sourcecode.scr
• E-Book Archive.rtf.exe
• Doom 3 Beta.exe
• How to hack.doc.exe
• Learn Programming.doc.exe
• WinXP eBook.doc.exe
• Win Longhorn Beta.exe
• Dictionary English - France.doc.exe
• RFC Basics Full Edition.doc.exe
• 1000 Sex and more.rtf.exe
• 3D Studio Max 3dsmax.exe
• Keygen 4 all appz.exe
• Windows Sourcecode.doc.exe
• Norton Antivirus 2004.exe
• Gimp 1.5 Full with Key.exe
• Partitionsmagic 9.0.exe
• Star Office 8.exe
• Magix Video Deluxe 4.exe
• Clone DVD 5.exe
• MS Service Pack 5.exe
• ACDSee 9.exe
• Visual Studio Net Crack.exe
• Cracks & Warez Archive.exe
• WinAmp 12 full.exe
• DivX 7.0 final.exe
• Opera.exe
• IE58.1 full setup.exe
• Smashing the stack.rtf.exe
• Ulead Keygen.exe
• Lightwave SE Update.exe
• The Sims 3 crack.exe

Si el sistema estuviese infectado con los gusanos Mydoom o Mydoom.B los remueve de la llave de registro:

[HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] 
"default" = "%System%\Webcheck.dll"

Sus payloads son los siguientes:

• Se propaga masivamente en mensajes de correo, haciendo uso de su propio motor SMTP a direcciones de archivos de determinadas extensiones.
• Infecta con un archivo de nombre aleatorio y de doble extensión y con uno de extensión .ZIP que contiene los mismos archivos.
• Usa la técnica Spoofing para disfrazar a los nombres de los Remitentes. 
• Los Asuntos y Contenidos son aleatorios.
• También se difunde a través de las redes Peer to Peer cuyos software se encuentren instalados en los sistemas infectados.
• Borra los valores y las llaves de registro creadas por los gusanos Mydoom y Mydoom.B

PER ANTIVIRUS® versión 8.5 con registro de virus al 25 de Febrero del 2004 detecta y elimina eficientemente este gusano.