Home / malware W32.NetSky.D@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for W32.NetSky.D@mm.
Explanation :
W32.Netsky.D@mm is a mass-mailing worm that sends itself to email addresses it gathers from infected computers.
Actions done by this mailware when run:
- copy itselfs into windows using "winlogon.exe" name and adds it to startup using registry key:
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun"ICQ Net" = "%Windir%winlogon.exe -stealth"
- removes a few programs from loading at startup:
* TaskMon
* Explorer
* KasperskyAv
* msgsvr32
* au.exe
* d3dupdate.exe
* Windows Services Host
- starts a thread which scans all non-cdrom drives of the computer for files with the following extensions:
* eml
* txt
* php
* pl
* htm
* html
* vbs
* rtf
* uin
* asp
* wab
* doc
* adb
* tbb
* dbx
* sht
* oft
* msg
* shtm
* cgi
* dhtm,
each file found is scanned for mail addresses and saves them unless they contain the following strings:
* icrosoft
* antivi
* ymantec
* spam
* avp
* f-secur
* itdefender
* orman
* cafee
* aspersky
* f-pro
* orton
* fbi
* abuse
* messagelabs
* skynet
- starts a thread which is the payload: checks if system date is 02.03.2004 and the clock is 0600 or 0700 or 0800 it will generate a random length beep from PC speaker
- starts a thread which using the collected mails spreads itself using subjects like:
* Re: Your website
* Re: Your product
* Re: Your letter
* Re: Your archive
* Re: Your text
* Re: Your bill
* Re: Your details
* Re: My details
* Re: Word file
* Re: Excel file
* Re: Details
* Re: Approved
* Re: Your software
* Re: Your music
* Re: Here
* Re: Re: Re: Your document
* Re: Hello
* Re: Hi
* Re: Re: Message
* Re: Your picture
* Re: Here is the document
* Re: Your document
* Re: Thanks!
* Re: Re: Thanks!
* Re: Re: Document
* Re: Document
and message body like:
* Your file is attached.
* Please read the attached file.
* Please have a look at the attached file.
* See the attached file for details.
* Here is the file.
* Your document is attached.
attachments can have one of the following name:
* your_website.pif
* your_product.pif
* your_letter.pif
* your_archive.pif
* your_text.pif
* your_bill.pif
* your_details.pif
* document_word.pif
* document_excel.pif
* my_details.pif
* all_document.pif
* application.pif
* mp3music.pif
* yours.pif
* document_4351.pif
* your_file.pif
* message_details.pif
* your_picture.pif
* document_full.pif
* message_part2.pif
* document.pif
* your_document.pif
- mails are sent using a self made SMTP engineLast update 21 November 2011
