McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Moodown.B (F-Secure)

• W32.Netsky.B@mm (Symantec)

• W32/Netsky-B (Sophos)

• Win32.Netsky.B (CA)

• Worm/Netsky.B (CentralCommand)

• WORM_NETSKY.B (Trend)

Characteristics

This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses. McAfee product detection requires that the scanning of compressed executables option be enabled (a default option).

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system) or skynet@skynet.de   
Subject: (one of the following)

• fake
• for
• hello
• hi
• immediately
• information
• it
• read
• something
• stolen
• unknown
• warning
• you

Body : (one of the following)

• about me
• anything ok?
• do you? that's funny
• from the chatter
• greetings
• here
• here is the document.
• here it is
• here, the cheats
• here, the introduction
• here, the serials
• i found this document about you
• I have your password!
• i hope it is not true!
• i wait for a reply!
• i'm waiting ok
• information about you
• is that from you?
• is that true?
• is that your account?
• is that your name?
• kill the writer of this document!
• my hero
• read it immediately!
• read the details.
• reply
• see you
• something about you!
• something is fool
• something is going wrong
• something is going wrong!
• stuff about you?
• take it easy
• that is bad
• thats wrong why?
• what does it mean?
• yes, really?
• you are a bad writer
• you are bad
• you earn money
• you feel the same
• you try to steal
• your name is wrong

Attachment: (one of the following names) 

• aboutyou
• attachment
• bill
• concert
• creditcard
• details
• dinner
• disco
• doc
• document
• final
• found
• friend
• jokes
• location
• mail2
• mails
• me
• message
• misc
• msg
• nomoney
• note
• object
• part2
• party
• posting
• product
• ps
• ranking
• release
• shower
• story
• stuff
• swimmingpool
• talk
• textfile
• topseller
• website

May be followed by:

• .doc
• .htm
• .rtf
• .text

Followed by:

• .com
• .exe
• .pif
• .scr

The attachment may have a double-extension, such as .rtf.pif, and may be contained in a .ZIP file.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .adb
• .asp
• .dbx
• .doc
• .eml
• .htm
• .html
• .msg
• .oft
• .php
• .pl
• .rtf
• .sht
• .tbb
• .txt
• .uin
• .vbs
• .wab

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
When executed, a fake error message may be displayed.

The worm copies itself into %WinDir% (WINDOWS) folder using the filename SERVICES.EXE (note: A valid file exists in the WINDOWS SYSTEM directory). A registry run key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

Network propagation/Peer to Peer propagation  
The worm copies itself to directories named share or sharing on the local system and on mapped network drives. This will result in propagation via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing.  The filenames are included in the worm and chosen randomly:

• angels.pif
• cool screensaver.scr
• dictionary.doc.exe
• dolly_buster.jpg.pif
• doom2.doc.pif
• e.book.doc.exe
• e-book.archive.doc.exe
• eminem - lick my pussy.mp3.pif
• hardcore porn.jpg.exe
• how to hack.doc.exe
• matrix.scr
• max payne 2.crack.exe
• nero.7.exe
• office_crack.exe
• photoshop 9 crack.exe
• porno.scr
• programming basics.doc.exe
• rfc compilation.doc.exe
• serial.txt.exe
• sex sex sex sex.doc.exe
• strippoker.exe
• virii.scr
• win longhorn.doc.exe
• winxp_crack.exe

The worm also drops numerous ZIP files containing the worm (22,016 bytes).  The compressed file frequently uses a double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:

• aboutyou.zip
• attachment.zip
• bill.zip
• concert.zip
• creditcard.zip
• details.zip
• dinner.zip
• disco.zip
• final.zip
• found.zip
• friend.zip
• jokes.zip
• location.zip
• mail2.zip
• mails.zip
• me.zip
• message.zip
• misc.zip
• msg.zip
• nomoney.zip
• note.zip
• object.zip
• part2.zip
• party.zip
• posting.zip
• product.zip
• ps.zip
• ranking.zip
• release.zip
• shower.zip
• story.zip
• stuff.zip
• swimmingpool.zip
• talk.zip
• textfile.zip
• topseller.zip
• website.zip

Mydoom virus removal
The virus removes the following registry values to deactivate Mydoom.a and Mydoom.b.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Taskmon
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Explorer
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Taskmon
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Explorer
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Other registry keys removed are as follows:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run KasperskyAv
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run system.

Symptoms

Method of Infection

This worm spreads by email and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares. 

Removal

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the file SERVICES.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
   NOTE: Do not delete the file SERVICES.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file.
3. Edit the registry
   • Delete the "service" value from
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run
     • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run
4. Reboot the system into Default Mode

McAfee Security Threatscan
ThreatScan signatures that can detect the W32/Netsky.b@MM virus are available from:

• Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
• Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-02-18

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4064

McAfee IntruShield
McAfee IntruShield already provides signatures to protect against this worm. Customers should see one or more of the following alerts upon detecting the worm activity:

• SMTP: Worm Detected in Attachment, when propagating via regular email attachment
• SMTP: Possible Virus Attachment File with Double Extension, when propagating using attachment with double extensions
• NETBIOS-SS: Copy Executable File Attempt, when copying itself through file share

While double extension attachment can be safely blocked, the other two alerts should be blocked only if your particular security policy for the environment disallows copying of these virus-carrying files.

Sniffer Technologies
Sniffer Filters have been developed to filter email traffic for messages FROM: skynet@skynet.de.   Sniffer Filters are available for Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst network analyzer.

W32_Netsky.b@mm Sniffer Filters.zip

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Moodown.B (F-Secure)

• W32.Netsky.B@mm (Symantec)

• W32/Netsky-B (Sophos)

• Win32.Netsky.B (CA)

• Worm/Netsky.B (CentralCommand)

• WORM_NETSKY.B (Trend)

Characteristics

Characteristics -

This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:.  The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses. McAfee product detection requires that the scanning of compressed executables option be enabled (a default option).

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system) or skynet@skynet.de   
Subject: (one of the following)

• fake
• for
• hello
• hi
• immediately
• information
• it
• read
• something
• stolen
• unknown
• warning
• you

Body : (one of the following)

• about me
• anything ok?
• do you? that's funny
• from the chatter
• greetings
• here
• here is the document.
• here it is
• here, the cheats
• here, the introduction
• here, the serials
• i found this document about you
• I have your password!
• i hope it is not true!
• i wait for a reply!
• i'm waiting ok
• information about you
• is that from you?
• is that true?
• is that your account?
• is that your name?
• kill the writer of this document!
• my hero
• read it immediately!
• read the details.
• reply
• see you
• something about you!
• something is fool
• something is going wrong
• something is going wrong!
• stuff about you?
• take it easy
• that is bad
• thats wrong why?
• what does it mean?
• yes, really?
• you are a bad writer
• you are bad
• you earn money
• you feel the same
• you try to steal
• your name is wrong

Attachment: (one of the following names) 

• aboutyou
• attachment
• bill
• concert
• creditcard
• details
• dinner
• disco
• doc
• document
• final
• found
• friend
• jokes
• location
• mail2
• mails
• me
• message
• misc
• msg
• nomoney
• note
• object
• part2
• party
• posting
• product
• ps
• ranking
• release
• shower
• story
• stuff
• swimmingpool
• talk
• textfile
• topseller
• website

May be followed by:

• .doc
• .htm
• .rtf
• .text

Followed by:

• .com
• .exe
• .pif
• .scr

The attachment may have a double-extension, such as .rtf.pif, and may be contained in a .ZIP file.

The mailing component harvests address from the local system.  Files with the following extensions are targeted:

• .adb
• .asp
• .dbx
• .doc
• .eml
• .htm
• .html
• .msg
• .oft
• .php
• .pl
• .rtf
• .sht
• .tbb
• .txt
• .uin
• .vbs
• .wab

The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

System changes
When executed, a fake error message may be displayed.

The worm copies itself into %WinDir% (WINDOWS) folder using the filename SERVICES.EXE (note: A valid file exists in the WINDOWS SYSTEM directory). A registry run key is created to load the worm at system start.

•  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

Network propagation/Peer to Peer propagation  
The worm copies itself to directories named share or sharing on the local system and on mapped network drives. This will result in propagation via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing.  The filenames are included in the worm and chosen randomly:

• angels.pif
• cool screensaver.scr
• dictionary.doc.exe
• dolly_buster.jpg.pif
• doom2.doc.pif
• e.book.doc.exe
• e-book.archive.doc.exe
• eminem - lick my pussy.mp3.pif
• hardcore porn.jpg.exe
• how to hack.doc.exe
• matrix.scr
• max payne 2.crack.exe
• nero.7.exe
• office_crack.exe
• photoshop 9 crack.exe
• porno.scr
• programming basics.doc.exe
• rfc compilation.doc.exe
• serial.txt.exe
• sex sex sex sex.doc.exe
• strippoker.exe
• virii.scr
• win longhorn.doc.exe
• winxp_crack.exe

The worm also drops numerous ZIP files containing the worm (22,016 bytes).  The compressed file frequently uses a double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:

• aboutyou.zip
• attachment.zip
• bill.zip
• concert.zip
• creditcard.zip
• details.zip
• dinner.zip
• disco.zip
• final.zip
• found.zip
• friend.zip
• jokes.zip
• location.zip
• mail2.zip
• mails.zip
• me.zip
• message.zip
• misc.zip
• msg.zip
• nomoney.zip
• note.zip
• object.zip
• part2.zip
• party.zip
• posting.zip
• product.zip
• ps.zip
• ranking.zip
• release.zip
• shower.zip
• story.zip
• stuff.zip
• swimmingpool.zip
• talk.zip
• textfile.zip
• topseller.zip
• website.zip

Mydoom virus removal
The virus removes the following registry values to deactivate Mydoom.a and Mydoom.b.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Taskmon
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Explorer
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Taskmon
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Explorer
• HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Other registry keys removed are as follows:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run KasperskyAv
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run system.

Symptoms

Symptoms -

Method of Infection

Method of Infection -

This worm spreads by email and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares. 

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Stinger
Stinger  has been updated to assist in detecting and repairing this threat.

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1. Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2. Delete the file SERVICES.EXE  from your WINDOWS directory (typically c:\windows or c:\winnt)
   NOTE: Do not delete the file SERVICES.EXE from the WINDOWS SYSTEM directory as that is a valid Windows system file.
3. Edit the registry
   • Delete the "service" value from
     • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run
     • HKEY_CURRENT_USERS\SOFTWARE\Microsoft\
       Windows\CurrentVersion\Run
4. Reboot the system into Default Mode

McAfee Security Threatscan
ThreatScan signatures that can detect the W32/Netsky.b@MM virus are available from:

• Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt
• Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt

ThreatScan Signature version: 2004-02-18

ThreatScan users can detect the virus by running a ThreatScan task using the following settings:

• Select the "Remote Infection Detection" category and "Windows Virus Checks" template.

-or-

• Select the "Other" category and "Scan All Vulnerabilities" template.

For additional information:
Run the "ThreatScan Template Report"
Look for module number #4064

McAfee IntruShield
McAfee IntruShield already provides signatures to protect against this worm. Customers should see one or more of the following alerts upon detecting the worm activity:

• SMTP: Worm Detected in Attachment, when propagating via regular email attachment
• SMTP: Possible Virus Attachment File with Double Extension, when propagating using attachment with double extensions
• NETBIOS-SS: Copy Executable File Attempt, when copying itself through file share

While double extension attachment can be safely blocked, the other two alerts should be blocked only if your particular security policy for the environment disallows copying of these virus-carrying files.

Sniffer Technologies
Sniffer Filters have been developed to filter email traffic for messages FROM: skynet@skynet.de.   Sniffer Filters are available for Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst network analyzer.

W32_Netsky.b@mm Sniffer Filters.zip

Variants

Variants -

N/A