Computer viruses: Netsky / SomeFool

• Description
  
• Variants
  
• Removal tool
  
• jwSpamSpy Virus- and Spamfilter
  

In May 2004 an 18-year old German was arrested for creating both the Netsky and Sasser viruses (see Heise News, in German).

From: and Received: lines:
Don't trust the sender address! All variants of Netsky that spread via email carry their own SMTP engine. They do not use any email program installed on the computer or the email address it's configured for. Instead, the virus searches for any email addresses on the harddisk of the computer it infects and uses such addresses both as recipients (intended victims) and as fake sender addresses of the virus. Here is a typical example of a Netsky mail:

Received: from evhr.net (ABoulogne-108-1-5-78.w81-49.abo.wanadoo.fr [81.49.15.78])
	by mail.evhr.net (Postfix) with ESMTP id 9CB2D827D5
	for <eppi@evhr.net>; Mon, 21 Jun 2004 19:34:55 +0200 (CEST)
From: joewein@pobox.com
To: eppi@evhr.net
Subject: Re: My details
Date: Mon, 21 Jun 2004 19:34:56 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
	boundary="----=_NextPart_000_0012_000077D0.00000877"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040621173455.9CB2D827D5@mail.evhr.net>

This is a multi-part message in MIME format.

------=_NextPart_000_0012_000077D0.00000877
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit

See the attached file for details.

------=_NextPart_000_0012_000077D0.00000877
Content-Type: application/octet-stream;
	name="my_details.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="my_details.pif"

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAuAAAAKvnXsbvhjCV74Ywle+GMJVsmj6V44YwlQeZOpX2hjCV74YxlbiGMJVsjm2V
4oYwlQeZO5XqhjCVV4A2le6GMJVSaWNo74YwlQAAAAAAAAAAQ29tcHJlc3NlZCBieSBQZXRp
dGUgKGMpMTk5OSBJYW4gTHVjay4AAFBFAABMAQMA6ZtBQAAAAAAAAAAA4AAPAQsBBgAASAAA
APAAAAAAAABCcAEAABAAAABgAAAAAEAAABAAAAACAAAEAAAAAAAAAAQAAAAAAAAAAIABAAAE
(continued)

Note that abuse@wanadoo.fr will not accept any virus reports that quote the body of a virus (headers only!) - a virus filter will bounce the virus report! Other abuse departments (for example, abuse@att.net) specifically require the message body as well. This creates something of a dilemma. We usually report message headers only, as this is really all that's needed for locating the sender.

Fake HELO name
Next to the host name (RDNS-name) and IP address you'll see the domain name evhr.net. This matches the domain name of the recipient. When the virus contacts the mail server of the intended next victim to deliver mail, it gives the recipient's domain name as its hostname, maybe in order to get around certain spam filters. This behaviour is typical of Netsky and makes it relatively easy to identify without looking at the message body and the dangerous virus payload.

Subject lines:
Many of the subject lines look like replies:

Here is the file.
Please have a look at the attached file.
Please read the attached file.
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
See the attached file for details.
Your document is attached.
Your file is attached.

Mail Delivery failure (recipient's email address)
Mail Delivery (failure recipient's email address)
Mail Delivery System (recipient's email address)
Mail Delivery failure (recipient's email address)
Mail System (recipient's email address)
Status (recipient's email address)

Message body:

Here is the file.
I have attached it to this mail.
Please have a look at the attached file
Please read the attached file.
Please read the document.
See the attached file for details.
Your document is attached.
Your file is attached.

• Netsky.A
  
• NetSky.A
  
• NetSky.AA
  
• Netsky.AA (NetSky.AA)
  
• NetSky.AB
  
• NetSky.AC
  
• NetSky.AD
  
• NetSky.B
  
• NetSky.C
  
• NetSky.D
  
• NetSky.E
  
• NetSky.F
  
• NetSky.G
  
• NetSky.H
  
• NetSky.I
  
• NetSky.J
  
• NetSky.K
  
• NetSky.L
  
• NetSky.M
  
• NetSky.N
  
• NetSky.O
  
• NetSky.P
  
• NetSky.Q
  
• Netsky.q (NetSky.P)
  
• NetSky.R
  
• NetSky.S
  
• NetSky.T
  
• Netsky.t (NetSky.S)
  
• Netsky.t (NetSky.T)
  
• NetSky.U
  
• NetSky.V
  
• NetSky.W
  
• NetSky.X
  
• NetSky.Y
  
• NetSky.Z
  
• Netsky.Z (NetSky.Z)
  

Removal tool:
Symantec have developed a removal tool for most variants of the virus: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

jwSpamSpy virus filtering
jwSpamSpy, our spam- and virusfilter for POP3 mailboxes, filters viruses such as Netsky, Sober, Swen and many others.
It's semiautomatic virus reporting assistant allows you to quickly notify ISPs about viruses sent by their customers so they stop endangering others.

Anti-Virus Resources:
jwSpamSpy is our spam+virus filtering software
How to trace senders of viruses
Computer viruses: Netsky / SomeFool

Xenophobia, Spam and Viruses: The "German Spam" (Sober.H)
Sober.H – Racist German email spam spread by virus (in German)

Clueless virus filters spam innocent third parties

The Virus Ward: ISPs that appear to ignore reports of infected customer machines
NTL Internet (NTLI.net) ignores virus reports for almost three months
Chello.at ignores virus reports for two months
Wellcom.at ignores virus reports for two months
Dialog.net.pl ignores virus reports for three weeks
bhartibroadband.com ignores virus reports