Home / malware Win32.Netsky.X@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Netsky.X@mm.
Explanation :
The worm parses all the files with the following extensions, to gather email addresses:
.pl.htm.html.eml.txt.php.asp.wab.doc.vbs.rtf.uin.shtm.cgi.dhtm.adb.tbb.dbx.sht.oft.msg.jsp.wsh.xml
The email that will be sent to the gathered addresses will have the following form:
SENDER:
one of the gathered email addresses, that it will harvest, tooorchris_sexana@aol.com
SUBJECT:
Composed from the following groups:
Re:Re: Re:yourmyapprovedimportantdocumentfiledetailsinformationletterproductwebsiteapplicationscreensaverbillword documentexcel documentdatamessagetextdocument_allherehihellothanks!correctedpatchedimprovedimportantread it imediately
Some of the above groups may be blank.
BODY:
One of the following: Please see the attached file for details.Please read the attached file.Your document is attached.Please read the document.Your file is attached.Please confirm the document.Please read the important document.See the file.Requested file.Authentication required.Your document is attached to this mail.I have attached your document.I have received your document. The corrected document is attached.Your document.Your details.
ATTACHMENT:
A name choosed from the following:
documentfiledetailsinformationletterproductwebsiteapplicationscreensaverbillword documentexcel documentdatamessagetextdocument_all
And an extension:
.SCR.EXE.PIF.ZIP
When the ZIP extension is used, the archived executable may have one of the following names:
"your_details.doc .exe""document.htm .scr""doc.txt .exe""doc.pif""your_details.scr""document.exe"
The worm uses it's own SMTP engine to spread itself.
It will also try to delete the following registry keys from
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"ssate.exe""srate.exe""sysmon.exe""Taskmon""rate.exe""gouday.exe""Sentry.exe""OLE""d3dupdate.exe""DELETE ME""service""au.exe""msgsvr32""system.""Explorer"
and any other keys contained in:
[HKLM\System\CurrentControlSet\Services\WksPatch]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]Last update 21 November 2011
