Home / malwarePDF  

Win32.Netsky.AA@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Netsky.AA@mm.

Explanation :

The worm will copy itself in %windir%\Jammer2nd.exe and will create a registry key to make sure it will be run after the next restart. Then, it will create in %windir% folder the following files:
pk_zip_alg.log (the worm, zipped),
pk_zip1.log ,pk_zip2.log ,...,pk_zip8.log (the archive in base64 format).

The worm spreads by e-mail. It searches for e-mail addresses in files having extensions:
.cfg .mbx .mdx .htm .html .asp .wab .doc
.eml .txt .php .vbs .rtf .uin .shtm .cgi
.dhtm .ods .stm .xls .adb .tbb .dbx .mht
.mmf .nch .sht .oft .msg .jsp .wsh .xml
.ppt

The e-mails it sents have the following characteristics:

Subject:
Important
Document
Hello
Information
Hi

Message body:
Important details!
Important notice!
Important document!
Important bill!
Important data!
Important!
Important textfile!
Important informations!

The e-mail contains the worm in a zip archive having one of the following names:
Details.zip
Notice.zip
Important.zip
Bill.zip
Data.zip
Part-2.zip
Textfile.zip
Informations.zip

The worm can perform a Denial Of Service (DoS) attack on the following sites:
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

The worm listens on port 665/TCP. It will accept connections, write the data received in a file
%N%.exe and will execute that file (where %N% is a random number).

Last update 21 November 2011

 

TOP