Home / malwarePDF  

Win32.Netsky.W@mm


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Netsky.W@mm is also known as WORM_NETSKY.W.

Explanation :

The worm comes by mail in the following form:

From: spoofed

Subject: is composed using the following words:
here
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately
your
my
approved
important
document
file
details
information
letter
product
website
application
screensaver
bill
word document
excel document
data
message
text
document_all
Body text: one of the following:
Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
At the end of the body text, there may be three lines saying that the attachment contains no virus.

Attachment: has an executable extension (.pif, .exe or .scr) or .zip and a name from:
document
file
details
information
letter
product
website
application
screensaver
bill
word document
excel document
data
message
text
document_all
Attachment name may be followed by the recipient's email user name.

The mail may also contain a GIF picture.

When ran, the worm copies itself in the Windows directory, with the file name:
%WINDIR%VisualGuard.exe
and creates the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
with the value:
"NetDy" = "%WINDIR%VisualGuard.exe"

It scans the hard-drives for e-mail addresses inside files with the following extensions:
.pl
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
and sends mail using its own SMTP engine.

The worm attempts to remove some variants of the Mydoom, Welchia and Beagle worms.

The following temporary files are used by the worm, they may be deleted:
%WINDIR%ase64.tmp -- base64 encoding of the worm file
%WINDIR%zipped.tmp -- zipped worm file
%WINDIR%zip1-6.tmp -- base64 encodings of the zipped worm file

Last update 21 November 2011

 

TOP