Home / malware Win32.Netsky.AB@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Netsky.AB@mm.
Explanation :
The worm has the following e-mail format:
Attachment:
Randomly chosen from the following list:
"Your_Document.pif"
"Your_Document.pif"
"Your_Text.pif"
"Your_Document_Part3.pif"
"Your_Details.pif"
"Your_Pics.pif"
"Your_Private_Document.pif"
"Your_Information.pif"
"Your_Document.pif"
"Your_Digicam_Pictures.pif"
"Your_Summary.pif"
"Your_Description.pif"
"Your_Music.pif"
"Your_Software.pif"
"My_Telephone_Numbers.pif"
"Your_List.pif"
"Your_Text_File.pif"
"Your_Paint_File.pif"
"Your_Contacts.pif"
"Your_E-Books.pif"
"Your_Bill.pif"
"Your_Error.pif"
"Your_Excel_Document.pif"
"Your_Letter.pif"
"Your_Product.pif"
"Your_Website.pif"
"Your_Movie.pif"
"Your_Presentation.pif"
"My_Advice.pif"
"My_Fax_Numbers.pif"
"Your_Product_List.pif"
"Osam_Bin_Laden_Articel_42.pif"
"Your_Demo.pif"
"Your_Final_Document.pif"
"Your_Poster.pif"
"Your_Patch.pif"
"Your_Pricelist.pif"
"Your_Job.pif"
Body:
Randomly chosen from the following list:
Your document is attached.
Here is the file.
Please view the attached file.
See the attached file for details.
Please take the attached file.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
For furher details see the attached file.
Subject:
Randomly chosen from the following list:
"Re: Document"
"Re: Approved"
"Re: Text"
"Re: Thank you!"
"Re: Details"
"Re: Photos"
"Re: Private"
"Re: Information"
"Re: Hi"
"Re: Hello"
"Re: Summary"
"Re: Step by Step"
"Re: Music"
"Re: Application"
"Re: Tel. Numbers"
"Re: List"
"Re: Text file"
"Re: Paint file"
"Re: Contacts"
"Re: e-Books"
"Re: Bill"
"Re: Error"
"Re: Missed"
"Re: Letter"
"Re: Product"
"Re: Website"
"Re: Movie"
"Re: Presentation"
"Re: Advice"
"Re: Fax number"
"Re: Cheaper"
"Re: War"
"Re: Demo"
"Re: Final"
"Re: Poster"
"Re: Patch"
"Re: Pricelist"
"Re: Job"
When the worm is executed it creates the following mutex to assure that there will be only
one instance of itself running:
MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Then it copies itself to %WINDIR% folder under the name:
Winlogon.scr
And it adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunSkynetsRevenge with value
%WINDIR%winlogon.scr
After this it creates a thread to search for e-mail addresses and 8 threads to send itself to all e-mail addresses it finds.
When first run it displays a message box with the following message:
Error
Out of system memory
The worm searches for e-mail addresses on physical drives from c: to z:.
It will only search for e-mail addresses in files with the following extensions:
.eml .txt .php .cfg .mbx .mdx .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb
.dbx .pl .htm .html .sht .oft .msg .ods .stm .xls .jsp .wsh .xml .mht .mmf .nch .ppt
In the same time it will send itself to all e-mail addresses it finds skipping all e-mails containing the following strings:
"icrosoft"
"antivi"
"ymantec"
"spam"
"avp"
"f-secur"
"itdefender"
"orman"
"cafee"
"aspersky"
"f-pro"
"orton"
"fbi"
"abuse"
"messagelabs"
"skynet"
"andasoftwa"
"freeav"
"sophos"
"antivir"
"iruslis"Last update 21 November 2011
