How to delete I-Worm.Netsky.B - Removal tool, fix instructions

Name: I-Worm.Netsky.b

Aliases: W32/Netsky.b@MM, W32/Netsky-B, W32.Netsky.B@mm, Win32.Netsky.B, Worm/Netsky.B, WORM_NETSKY.B, Moodown.B, I-worm.Moodown.B

Type: Worm

Size: 22,016 bytes (packed)

First appeared on: 18.02.2004

Damage: Low

Brief Description: Netsky.B is a worm that deletes the entries that belong to several worms, including Mydoom.A, Mydoom.B and Mimail.T.

Netsky.B spreads via e-mail and through peer-to-peer (P2P) file sharing programs.

Visible Symptoms:

  • Presence of the following file in Windows directory (%WINDIR%): services.exe
  • Presence of the following registry key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service = %WINDIR%\services.exe
  • Once launched, the worm displays a false error message on the screen: 'The file could not be opened'.

Technical description: Netsky.B creates the file SERVICES.EXE in the Windows directory. This file is a copy of the worm.

Netsky.B creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run service = services.exe -serv
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run service = services.exe -serv

If it does not succeed in creating the first entry, it attempts to create the second one.

By creating any of these entries, Netsky.B ensures that it is run whenever Windows is started.

Netsky.B deletes the following entries in the Windows Registry, if present:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Taskmon
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Taskmon
  • HKEY_CLASSES_ROOT\ CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ InProcServer32
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Explorer
  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run Explorer
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run KasperskyAv
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run system
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices system

These entries belong to several worms, including Mydoom.A, Mydoom.B and Mimail.T.

Propagation:

Netsky.B spreads via e-mail, through peer-to-peer (P2P) file sharing programs and across networks.

  1. Transmission via e-mail.

    Netsky.B follows the routine below:

    It reaches the computer in an e-mail message with variable characteristics:

    Sender: one of the following:

    • skynet@skynet.be
    • Netsky.B spoofs the e-mail address from which it is sent. It uses any of the e-mail addresses that it gathers on the affected computer. This may cause confusion. For further information, click here.

    Subject: one of the following:

    • fake
    • hello
    • information
    • read it immediately
    • something for you
    • stolen
    • unknown
    • warning

    Message: any of the following lines:

    • about me
    • anything ok?
    • do you?
    • from the chatter
    • greetings
    • here
    • here is the document.
    • here it is
    • here, the cheats
    • here, the introduction
    • here, the serials
    • i found this document about you
    • I have your password!
    • i hope it is not true!
    • i wait for a reply!
    • i'm waiting ok
    • information about you
    • is that from you?
    • is that true?
    • is that your account?
    • is that your name?
    • kill the writer of this document!
    • my hero
    • read it immediately!
    • read the details.
    • reply
    • see you
    • something about you!
    • something is fool
    • something is going wrong
    • something is going wrong!
    • stuff about you?
    • take it easy
    • that is bad
    • that's funny
    • thats wrong
    • what does it mean?
    • why?
    • yes, really?
    • you are a bad writer
    • you are bad you try to steal
    • you earn money
    • you feel the same
    • your name is wrong

    Attachments: it is variable, and usually has a double extension:

    Possible file names: ABOUTYOU, ATTACHMENT, BILL, CONCERT, CREDITCARD, DETAILS, DINNER, DISCO, DOC, DOCUMENT, FAKE, FINAL, FOUND, FRIEND, HELLO, HI, INFORMATION, JOKES, LOCATION, MAIL2, MAILS, ME, MESSAGE, MISC, MSG, NOMONEY, NOTE, OBJECT, PART2, PARTY, POSTING, PRODUCT, PS, RANKING, READ IT IMMEDIATELY, RELEASE, SHOWER, SOMETHING FOR YOU, STOLEN, STORY, STUFF, SWIMMINGPOOL, TALK, TEXTFILE, TOPSELLER, UNKNOWN, WARNING or WEBSITE.

    First file extension: DOC, HTM, RTF or TXT.

    Second file extension: COM, EXE, PIF or SCR. On some ocassions, the attached file only has one of these executable extensions.

    This worm can also be sent in a file compressed in a ZIP format.

    The following are only some examples: ABOUTYOU.DOC.EXE, DOCUMENT.RTF.COM, WEBSITE.SCR, STUFF.ZIP, etc.

    In addition, in order to trick the user into thinking that the attached file is completely harmless, it has the same icon as a Word document.

    The computer is affected when the attached file is run.

    Netsky.B searches for e-mail addresses in files that have the following extensions ADB, ASP, DBX, DOC, EML, HTM, HTML, MSG, OFT, PHP, PL, RTF, SHT, TBB, TXT, UIN, VBS and WAB.

    Netsky.B sends itself out to all the addresses it has gathered, using its own SMTP engine. In order to obtain the SMTP server, it makes a DNS query to the mail domain of the affected user. It uses the IP address 217.5.100.1 to make DNS queries.

  2. Transmission through peer-to-peer file sharing programs.

    Netsky.B follows the routine below:

    It creates copies of itself in directories with a name that contains the text strings share or sharing, in the hard drives C: through Z:. It uses the following file names, among others:

    • ANGELS.PIF
    • COOL SCREEN SAVER.SCR
    • CRACK.EXE
    • DICTIONARY.DOC.EXE
    • DOLLY_BUSTER.JPG.PIF
    • DOOM2.DOC.PIF
    • E.BOOK.DOC.EXE
    • E-BOOK.ARCHIVE.DOC.EXE
    • EMINEM - LICK MY PUSSY.MP3.PIF
    • HARDCORE
    • HOW TO HACK.DOC.EXE
    • MATRIX.SCR
    • MAX PAYNE 2.CRACK.EXE
    • NERO.7.EXE
    • OFFICE_CRACK.EXE
    • PHOTOSHOP 9
    • PORN.JPG.EXE
    • PORNO.SCR
    • PROGRAMMING BASICS.DOC.EXE
    • RFC COMPILATION.DOC.EXE
    • SERIAL.TXT.EXE
    • SEX SEX SEX SEX.DOC.EXE
    • STRIPPOKER.EXE
    • VIRII.SCR
    • WIN LONGHORN.DOC.EXE
    • WINXP_CRACK.EXE

    By doing this, it attempts to copy itself to the shared directories of P2P file sharing programs.

    Other users these programs can access the shared directories and download the files to their computers, thinking that they are useful computer programs, information, pictures, etc. However, these users will actually download a copy of the worm.

    When the downloaded file is run, these computers will be affected by Netsky.B.

  3. Transmission across networks.

    Netsky.B attempts to copy itself to the hard drives C: to Z:, excepting those which belong to CD-ROM drives. The hard drives it copies to include mapped network drives. These copies can be compressed in a ZIP format.

Removal tool and instruction:
Download removal tool from BitDefender.com