Joe Wein
Fighting spam and scams
on the Internet

Home / Blog / About us
Spam
419/Nigeria
Online fraud
jwSpamSpy
Contact

Email Spam Filter:
jwSpamSpy
Try it for free!

Google
 

Computer viruses: Netsky / SomeFool

Description
Since February 2004, the Netsky family of viruses was the most common computer virus in circulation. Its many variants use .exe, .com, .scr, .pif and .zip attachments that carry the viral payload, the dangerous part that can infect new computers. The virus author used clever social engineering techniques to make it likely that people would open the attachment and infect their machine.

In May 2004 an 18-year old German was arrested for creating both the Netsky and Sasser viruses (see Heise News, in German).

From: and Received: lines:
Don't trust the sender address! All variants of Netsky that spread via email carry their own SMTP engine. They do not use any email program installed on the computer or the email address it's configured for. Instead, the virus searches for any email addresses on the harddisk of the computer it infects and uses such addresses both as recipients (intended victims) and as fake sender addresses of the virus. Here is a typical example of a Netsky mail:

Received: from evhr.net (ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr [81.49.15.78])
	by mail.evhr.net (Postfix) with ESMTP id 9CB2D827D5
	for <eppi@evhr.net>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST)
From: joewein@pobox.com
To: eppi@evhr.net
Subject: Re: My details
Date: Mon, 21 Jun 2004 19:34:56 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0012_000077D0.00000877"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040621173455.9CB2D827D5@mail.evhr.net>

This is a multi-part message in MIME format.

------=_NextPart_000_0012_000077D0.00000877
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit

See the attached file for details.

------=_NextPart_000_0012_000077D0.00000877
Content-Type: application/octet-stream;
	name="my_details.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="my_details.pif"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAuAAAAKvnXsbvhjCV74Ywle+GMJVsmj6V44YwlQeZOpX2hjCV74YxlbiGMJVsjm2V
4oYwlQeZO5XqhjCVV4A2le6GMJVSaWNo74YwlQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp
dGUgKGMpMTk5OSBJYW4gTHVjay4AAFBFAABMAQMA6ZtBQAAAAAAAAAAA4AAPAQsBBgAASAAA
APAAAAAAAABCcAEAABAAAABgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIABAAAE
(continued)
The fact that this mail carried my email address in its From-line doesn't mean I sent it. In fact, looking at the final Received-line (others omitted here) shows that the virus was sent from a computer identifed as ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr with an IP address of 81.49.15.78. This virus was sent from France. Because the recipient address wasn't actually working, the recipient's mailserver sent "back" a message to me as the supposed sender. That message contained a complete copy of the virus email, which is how we obtained this sample. We reported the details to abuse@wanadoo.fr, the abuse-mailbox of the provider, which located the customer whose machine was infected (jwSpamSpy, our spamfilter mostly automates this process of determining and notifying the provider).

Note that abuse@wanadoo.fr will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, abuse@att.net) specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.

Fake HELO name
Next to the host name (RDNS-name) and IP address you'll see the domain name evhr.net. This matches the domain name of the recipient. When the virus contacts the mail server of the intended next victim to deliver mail, it gives the recipient's domain name as its hostname, maybe in order to get around certain spam filters. This behaviour is typical of Netsky and makes it relatively easy to identify without looking at the message body and the dangerous virus payload.

Subject lines:
Many of the subject lines look like replies:

Here is the file.
Please have a look at the attached file.
Please read the attached file.
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
See the attached file for details.
Your document is attached.
Your file is attached.
or like email delivery error messages:
Mail Delivery failure (recipient's email address)
Mail Delivery (failure recipient's email address)
Mail Delivery System (recipient's email address)
Mail Delivery failure (recipient's email address)
Mail System (recipient's email address)
Status (recipient's email address)
Some variants can infect a Windows machine by just opening the email if current updates are not installed.

Message body:

Here is the file.
I have attached it to this mail.
Please have a look at the attached file
Please read the attached file.
Please read the document.
See the attached file for details.
Your document is attached.
Your file is attached.

Variants:

Removal tool:
Symantec have developed a removal tool for most variants of the virus:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

jwSpamSpy virus filtering
jwSpamSpy, our spam- and virusfilter for POP3 mailboxes, filters viruses such as Netsky, Sober, Swen and many others.
It's semiautomatic
virus reporting assistant allows you to quickly notify ISPs about viruses sent by their customers so they stop endangering others.

Anti-Virus Resources:
jwSpamSpy is our spam+virus filtering software
How to trace senders of viruses
Computer viruses: Netsky / SomeFool

Xenophobia, Spam and Viruses: The "German Spam" (Sober.H)
Sober.H – Racist German email spam spread by virus (in German)

Clueless virus filters spam innocent third parties

The Virus Ward: ISPs that appear to ignore reports of infected customer machines
NTL Internet (NTLI.net) ignores virus reports for almost three months
Chello.at ignores virus reports for two months
Wellcom.at ignores virus reports for two months
Dialog.net.pl ignores virus reports for three weeks
bhartibroadband.com ignores virus reports