Home

Store

How to Protect Yourself from Viruses

Antivirus Reviews

Antivirus FAQs

Antivirus Checklist

Antivirus Top 10 Tips

Antivirus Tutorial

Kazaa the Virus Desktop

Worms vs. Viruses

Virus Glossary

W32.Netsky.P@mm

Note: Norton Antivirus 2003 can remove this virus automatically.  You can also download a Netsky.P removal tool.

Due to an increase in the rate of submissions, Symantec Security Response has upgraded W32.Netsky.P@mm to a Category 3 from a Category 2 threat as of March 22, 2004.

W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine Ao send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders.

The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with the .exe, .pif, .scr, or .zip file extension.

The worm uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto-execute the worm when reading or previewing an infected message.

This threat is compressed with FSG.

• Symantec Consumer products that support Worm Blocking functionality automatically detect this threat.
• The worm's executable has a static MD5 hash value of 0x0A9FFA57D65083C92E0D3D69B00F2F0D.
• Rapid release definitions dated March 21, 2004 or March 22, 2004 may detect this threat as W32.Netsky.Q@mm.
• Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.P@mm.

 

Also Known As:	W32.Netsky.Q@mm, W32/Netsky.p@MM [McAfee], Win32.Netsky.P [Computer Associates], NetSky.P [F-Secure], W32/Netsky.P.worm [Panda], W32/Netsky-P [Sophos], WORM_NETSKY.P [Trend]
Type:	Worm
Infection Length:	29,568 bytes
Systems Affected:	Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected:	DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
CVE References:	CVE-2001-0154

THREAT ASSESSMENT

Damage

• Payload Trigger: n/a
• Payload: n/a
  • Large scale e-mailing: Sends itself to the email addresses retrieved from the file system.
  • Deletes files: n/a
  • Modifies files: n/a
  • Degrades performance: n/a
  • Causes system instability: n/a
  • Releases confidential info: n/a
  • Compromises security settings: n/a

Distribution

• Subject of email: Varies
• Name of attachment: Varies with the .exe, .pif, .scr, or .zip file extension.
• Size of attachment: Varies
• Timestamp of attachment: n/a
• Ports:
• Shared drives: n/a
• Target of infection: n/a

TECHNICAL DETAILS

When W32.Netsky.P@mm runs, it does the following:

1. Creates a mutex "_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_" to allow only one instance of the worm to execute.
   
   
2. Copies itself as %Windir%\FVProtect.exe.
   
   

   ---

   Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

   ---

   
   
3. Drops the following file:
   
   %Windir%\userconfig9x.dll
   
   Then, the worm loads and executes this file. It has a static MD5 hash value of 0x3018E99857F31A59E0777396AE634A8F.
   
   
4. Creates the following files:
   
   • %Windir%\base64.tmp (40,520 bytes): MIME-encoded version of the executable
   • %Windir%\zip1.tmp (40,882 bytes): MIME-encoded version of worm in a .zip archive
   • %Windir%\zip2.tmp (40,894 bytes): MIME-encoded version of worm in a .zip archive
   • %Windir%\zip3.tmp (40,886 bytes): MIME-encoded version of worm in a .zip archive
   • %Windir%\zipped.tmp (29,834 bytes): Worm in a .zip archive
     
     
5. Adds the value:
   
   "Norton Antivirus AV"="%Windir%\FVProtect.exe"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm runs when you start Windows.
   
   
6. Deletes the values:
   
   • Explorer
   • system.
   • msgsvr32
   • winupd.exe
   • direct.exe
   • jijbl
   • service
   • Sentry
     
     from the registry key:
     
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
     Run
     
     
7. Deletes the values:
   
   • system.
   • Video
     
     from the registry key:
     
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
     RunServices
     
     
8. Deletes the values:
   
   • Explorer
   • au.exe
   • direct.exe
   • d3dupdate.exe
   • OLE
   • gouday.exe
   • rate.exe
   • Taskmon
   • Windows Services Host
   • sysmon.exe
   • srate.exe
   • ssate.exe
   • winupd.exe
     
     from the registry key:
     
     HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
     
     
9. Deletes the following subkeys:
   
   • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
     Explorer\PINF
   • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch
   • HKEY_CLASSES_ROOT\CLSID\CLSID\
     {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
     
     
10. Scans the hard drive for folders that contain the following strings:
    
    • bear
    • donkey
    • download
    • ftp
    • htdocs
    • http
    • icq
    • kazaa
    • lime
    • morpheus
    • mule
    • my shared folder
    • shar
    • shared files
    • upload
      
      and copies the worm into that folder with the following file names:
      
    • "1001 Sex and more.rtf.exe"
    • "3D Studio Max 6 3dsmax.exe"
    • "ACDSee 10.exe"
    • "Adobe Photoshop 10 crack.exe"
    • "Adobe Photoshop 10 full.exe"
    • "Adobe Premiere 10.exe"
    • "Ahead Nero 8.exe"
    • "Altkins Diet.doc.exe"
    • "American Idol.doc.exe"
    • "Arnold Schwarzenegger.jpg.exe"
    • "Best Matrix Screensaver new.scr"
    • "Britney sex xxx.jpg.exe"
    • "Britney Spears and Eminem porn.jpg.exe"
    • "Britney Spears blowjob.jpg.exe"
    • "Britney Spears cumshot.jpg.exe"
    • "Britney Spears fuck.jpg.exe"
    • "Britney Spears full album.mp3.exe"
    • "Britney Spears porn.jpg.exe"
    • "Britney Spears Sexy archive.doc.exe"
    • "Britney Spears Song text archive.doc.ex"...
    • "Britney Spears.jpg.exe"
    • "Britney Spears.mp3.exe"
    • "Clone DVD 6.exe"
    • "Cloning.doc.exe"
    • "Cracks & Warez Archiv.exe"
    • "Dark Angels new.pif"
    • "Dictionary English 2004 - France.doc.ex"...
    • "DivX 8.0 final.exe"
    • "Doom 3 release 2.exe"
    • "E-Book Archive2.rtf.exe"
    • "Eminem blowjob.jpg.exe"
    • "Eminem full album.mp3.exe"
    • "Eminem Poster.jpg.exe"
    • "Eminem sex xxx.jpg.exe"
    • "Eminem Sexy archive.doc.exe"
    • "Eminem Song text archive.doc.exe"
    • "Eminem Spears porn.jpg.exe"
    • "Eminem.mp3.exe"
    • "Full album all.mp3.pif"
    • "Gimp 1.8 Full with Key.exe"
    • "Harry Potter 1-6 book.txt.exe"
    • "Harry Potter 5.mpg.exe"
    • "Harry Potter all e.book.doc.exe"
    • "Harry Potter e book.doc.exe"
    • "Harry Potter game.exe"
    • "Harry Potter.doc.exe"
    • "How to hack new.doc.exe"
    • "Internet Explorer 9 setup.exe"
    • "Kazaa Lite 4.0 new.exe"
    • "Kazaa new.exe"
    • "Keygen 4 all new.exe"
    • "Learn Programming 2004.doc.exe"
    • "Lightwave 9 Update.exe"
    • "Magix Video Deluxe 5 beta.exe"
    • "Matrix.mpg.exe"
    • "Microsoft Office 2003 Crack best.exe"
    • "Microsoft WinXP Crack full.exe"
    • "MS Service Pack 6.exe"
    • "netsky source code.scr"
    • "Norton Antivirus 2005 beta.exe"
    • "Opera 11.exe"
    • "Partitionsmagic 10 beta.exe"
    • "Porno Screensaver britney.scr"
    • "RFC compilation.doc.exe"
    • "Ringtones.doc.exe"
    • "Ringtones.mp3.exe"
    • "Saddam Hussein.jpg.exe"
    • "Screensaver2.scr"
    • "Serials edition.txt.exe"
    • "Smashing the stack full.rtf.exe"
    • "Star Office 9.exe"
    • "Teen Porn 15.jpg.pif"
    • "The Sims 4 beta.exe"
    • "Ulead Keygen 2004.exe"
    • "Visual Studio Net Crack all.exe"
    • "Win Longhorn re.exe"
    • "WinAmp 13 full.exe"
    • "Windows 2000 Sourcecode.doc.exe"
    • "Windows 2003 crack.exe"
    • "Windows XP crack.exe"
    • "WinXP eBook newest.doc.exe"
    • "XXX hardcore pics.jpg.exe"
      
      
11. Retrieves email addresses from files on drives C through Z if the files have any of these file extensions:
    
    • .adb
    • .asp
    • .cgi
    • .dbx
    • .dhtm
    • .doc
    • .eml
    • .htm
    • .html
    • .jsp
    • .msg
    • .oft
    • .php
    • .pl
    • .rtf
    • .sht
    • .shtm
    • .tbb
    • .txt
    • .uin
    • .vbs
    • .wab
    • .wsh
    • .xml
      
      
12. Uses its own SMTP engine to send itself to the email addresses it finds.
    
    The email has the following characteristics:
    
    From: <Spoofed>
    
    Subject: (Some possible subject lines are listed below)
    
    • Re: Encrypted Mail
    • Re: Extended Mail
    • Re: Status
    • Re: Notify
    • Re: SMTP Server
    • Re: Mail Server
    • Re: Delivery Server
    • Re: Bad Request
    • Re: Failure
    • Re: Thank you for delivery
    • Re: Test
    • Re: Administration
    • Re: Message Error
    • Re: Error
    • Re: Extended Mail System
    • Re: Secure SMTP Message
    • Re: Protected Mail Request
    • Re: Protected Mail System
    • Re: Protected Mail Delivery
    • Re: Secure delivery
    • Re: Delivery Protection
    • Re: Mail Authentification
    • Mail Delivery (failure <spoofed address>)
      
      Body: (Some possible message bodies are listed below)
      
    • Please see the attached file for details
    • Please read the attached file!
    • Your document is attached.
    • Please read the document.
    • Your file is attached.
    • Your document is attached.
    • Please confirm the document.
    • Please read the important document.
    • See the file.
    • Requested file.
    • Authentication required.
    • Your document is attached to this mail.
    • I have attached your document.
    • I have received your document. The corrected document is attached.
    • Your document.
    • Your details.
      
      
      The worm may also append the following to the message body:
      
      
    • +++ Attachment: No Virus found
      +++ MessageLabs AntiVirus - www.messagelabs.com
      
      
    • +++ Attachment: No Virus found
      +++ Bitdefender AntiVirus - www.bitdefender.com
      
      
    • +++ Attachment: No Virus found
      +++ MC-Afee AntiVirus - www.mcafee.com
      
      
    • +++ Attachment: No Virus found
      +++ Kaspersky AntiVirus - www.kaspersky.com
      
      
    • +++ Attachment: No Virus found
      +++ Panda AntiVirus - www.pandasoftware.com
      
      
    • ++++ Attachment: No Virus found
      ++++ Norman AntiVirus - www.norman.com
      
      
    • ++++ Attachment: No Virus found
      ++++ F-Secure AntiVirus - www.f-secure.com
      
      
    • ++++ Attachment: No Virus found
      ++++ Norton AntiVirus - www.symantec.de
      
      
      Attachments: (Some possible file names are listed below)
      
    • document05
    • websites03
    • game_xxo
    • your_document
      
      Followed by one of the following:
    • .txt <a long series of blank spaces>
    • .doc <a long series of blank spaces>
      
      Followed by one of the following extensions:
    • .exe
    • .pif
    • .scr
    • .zip
      
      If the attachment's extension is .exe, .scr, or .pif, the attachment will be a copy of the worm. If the extension is .zip, the attachment will be a .zip file containing the worm executable. The file name inside the .zip file will be one of the following:
      
    • document.txt .exe
    • data.rtf .scr
    • details.txt .pif
      
      
13. The worm avoids sending to the email addresses that contain any of the following strings:
    
    • @antivi
    • @avp
    • @bitdefender
    • @fbi
    • @f-pro
    • @freeav
    • @f-secur
    • @kaspersky
    • @mcafee
    • @messagel
    • @microsof
    • @norman
    • @norton
    • @pandasof
    • @skynet
    • @sophos
    • @spam
    • @symantec
    • @viruslis
    • abuse@
    • noreply@
    • ntivir
    • reports@
    • spam@

Norton Personal Firewall

• Verify that you have a rule that only allows inbound/outbound mail to/from your mail server
• Run LiveUpdate on your desktop AV clients and have all your user do a full scan of their desktops

All users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL INSTRUCTIONS

Removal using the W32.Netsky Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.P@mm. Try this removal tool first, as it is the easiest way to remove this threat.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Restart the computer in Safe Mode or VGA mode.
4. Run a full system scan and delete all the files detected as W32.Netsky.P@mm.
5. Delete the value that was added to the registry.
   

• "How to disable or enable Windows Me System Restore"
• "How to turn off or turn on Windows XP System Restore"

• Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  
  

3. Restarting the computer in Safe mode or VGA Mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.

• For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
• For Windows NT 4 users, restart the computer in VGA mode.
  

1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
   • For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
2. Run a full system scan.
3. If any files are detected as infected with W32.Netsky.P@mm, click Delete.

1. Click Start, and then click Run. (The Run dialog box appears.)
2. Type regedit
   
   Then click OK. (The Registry Editor opens.)
   
   
3. Navigate to the key:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   
4. In the right pane, delete the value:
   
   "Norton Antivirus AV"="%Windir%\FVProtect.exe"
   
   
5. Exit the Registry Editor.