Home / malware Win32.Netsky.B@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Netsky.B@mm is also known as W32/Netsky-B.
Explanation :
This mass mailer comes in the following e-mail format:
Subject - randomly chosen from the following strings:
"hello"
"read it immediately"
"something for you"
"warning"
"information"
"stolen"
"fake"
"unknown"
Message body - randomly chosen from the following strings:
"anything ok?"
"what does it mean?"
"ok"
"i'm waiting"
"read the details."
"here is the document."
"read it immediately!"
"my hero"
"here"
"is that true?"
"is that your name?"
"is that your account?"
"i wait for a reply!"
"is that from you?"
"you are a bad writer"
"I have your password!"
"something about you!"
"kill the writer of this document!"
"i hope it is not true!"
"your name is wrong"
"i found this document about you"
"yes, really?"
"that is bad"
"here it is"
"see you"
"greetings"
"stuff about you?"
"something is going wrong!"
"information about you"
"about me"
"from the chatter"
"here, the serials"
"here, the introduction"
"here, the cheats"
"that's funny"
"do you?"
"reply"
"take it easy"
"why?"
"thats wrong"
"misc"
"you earn money"
"you feel the same"
"you try to steal"
"you are bad"
"something is going wrong"
"something is fool"
Attached file name - randomly chosen from the following strings:
"document"
"msg"
"doc"
"talk"
"message"
"creditcard"
"details"
"attachment"
"me"
"stuff"
"posting"
"textfile"
"concert"
"information"
"note"
"bill"
"swimmingpool"
"product"
"topseller"
"ps"
"shower"
"aboutyou"
"nomoney"
"found"
"story"
"mails"
"website"
"friend"
"jokes"
"location"
"final"
"release"
"dinner"
"ranking"
"object"
"mail2"
"part2"
"disco"
"party"
"misc"
"#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!"
Attached file extensions - randomly chosen from the following strings:
".exe"
".scr"
".com"
".pif"
".txt"
".rtf"
".doc"
".htm"
When the user double-clicks the attachement, the worm copies itself as
%WINDIR%services.exe
and adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunservice = %WINDIR%services.exe,
so it will be automatically executed each time windows starts up.
It then searches the files in the infected computer for e-mail addresses and sends itself to that addresses.
While searching, it tries to copy itself in each directory whose name contains the strings
Share or Sharing, with one of the following names:
'doom2.doc.pif'
'sex sex sex sex.doc.exe'
'rfc compilation.doc.exe'
'dictionary.doc.exe'
'win longhorn.doc.exe'
'e.book.doc.exe'
'programming basics.doc.exe'
'how to hack.doc.exe'
'max payne 2.crack.exe'
'e-book.archive.doc.exe'
'virii.scr'
'nero.7.exe'
'cool screensaver.scr'
'serial.txt.exe'
'office_crack.exe'
'hardcore porn.jpg.exe'
'angels.pif'
'porno.scr'
'matrix.scr'
'photoshop 9 crack.exe'
'strippoker.exe'
'dolly_buster.jpg.pif'
'winxp_crack.exe'Last update 21 November 2011
