Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.NetSky.t
Email-Worm.Win32.NetSky.t
| Detected | Apr 05 2004 15:40 GMT |
| Released | Apr 05 2004 15:40 GMT |
| Published | Jun 02 2004 09:14 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected emails.
The worm itself is a Windows PE EXE file of approximately 18KB, packed using UPX and written in Microsoft Visual C++.
Infected messages
Message header (chosen at random from the list below)
Approved Hello Hi Important My details Re: Approved Re: Hello Re: Hi Re: Important Re: My details Re: Request Re: Thanks you! Re: Your details Re: Your document Re: Your information Request Thank you! Your details Your document Your information
Message body (chosen at random from the texts below)
Approved, here is the document. For more details see the attached document. For more information see the attached document. Hello! Here is the "...". Here is the document. Hi! I have found the "...". I have sent the "...". I have spent much time for the "...". I have spent much time for your document. My "..." is attached. My "...". Note that I have attached your document. Please have a look at the "...". Please have a look at the attached document. Please notice the attached "...". Please notice the attached document. Please read quickly. Please read the "...". Please read the attached document. Please see the "...". Please, "...". See the document for details. Thank you Thanks The "..." is attached. The "...". The requested "..." is attached! Your "..." is attached. Your "...". Your file is attached to this mail. Yours sincerely
The worm inserts random characters from the list below between the quotation marks.
abuse list account answer approved document approved file archive bill concept contact list corrected document description detailed document details developement diggest document e-mail excel document file final version homepage icq number important document improved document improved file info information instructions letter list mail message movie document new document note notice number list old document order personal message phone number photo document picture document postcard powerpoint document presentation document release report requested document sample secound document story summary text textfile user list word document
Attachment
A file with a .pif extension and a randomly generated name.
The worm is activated when the user opens the attached file.
Once launched, the worm installs inself to the system and starts propagating.
Installation
When installating, the worm copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "EastAV"="%windir%\EastAV.exe"
Mass mailing
The worm searches for files with the extensions listed below:
adb asp cfg cgi dbx dhtm doc eml htm html jsp mbx |
mdx mht mmf msg nch ods oft php pl ppt rtf sht |
shtm stm tbb txt uin vbs wab wsh xls xml |
harvests email addresses and sends copies of itself to all addresses found.
The worm uses its own SMTP library to send messages.
Other
The worm will attempt to conduct DoS attacks on the following sites in accordance with the system clock local settings:
www.cracks.am www.emule.de www.freemule.net www.kazaa.com www.keygen.us
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
NetSky. t (Kaspersky Lab) - Virus:
W32/Netsky. t@MM (McAfee) - Worm.
SomeFool. Gen-2 (ClamAV) - W32/Netsky.
dam. worm (Panda) - W32/Netsky.
dam!Eldorado (FPROT) - Worm:
Win32/Netsky. CY@mm. dam#4 (MS(OneCare)) - Win32.
HLLM. Netsky. 18432 (DrWeb) - Win32/Netsky worm (Nod32)
- Worm.
Generic. 21603 (BitDef7) - I-Worm.
Netsky. FJ (VirusBuster) - Win32:
Netsky-T [Wrm] (AVAST) - Email-Worm.
Win32. NetSky (Ikarus) - Worm/Generic_r.
DB (AVG) - WORM/NetSky.
#1 (AVIRA) - W32.
Netsky. P@mm (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Worm.
Mail. Win32. NetSky. daq (Rising) - WORM_NSKY.
DAM (TrendMicro) - I-Worm.
Netsky. FJ (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.