Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.NetSky.d
Email-Worm.Win32.NetSky.d
| Detected | Mar 01 2004 11:31 GMT |
| Released | May 21 2004 21:44 GMT |
| Published | Mar 01 2004 11:31 GMT |
Technical Details
This worm spreads via the Internet as a file attached to infected messages.The worm is a Windows PE EXE file, of approximately 17424 bytes, written in Microsoft Visual C++. It is packed using Petite. The unpacked file is approximately 27KB in size.
Infected messages
Message header, chosen at random from the list below:
Re: Approved Re: Details Re: Excel file Re: Hello Re: Here Re: Here is the document Re: Hi Re: My details Re: Re: Document Re: Re: Message Re: Re: Re: Your document Re: Re: Thanks! Re: Thanks! Re: Word file Re: Your archive Re: Your bill Re: Your details Re: Your document Re: Your letter Re: Your music Re: Your picture Re: Your product Re: Your software Re: Your text Re: Your website
Message body, chosen at random from the list below:
Here is the file. Please have a look at the attached file Please read the attached file. See the attached file for details. Your document is attached. Your file is attached.
Attachment name, chosen at random from the list below:
all_document.pif application.pif document.pif document_4351.pif document_excel.pif document_full.pif document_word.pif message_details.pif message_part2.pif mp3music.pif my_details.pif your_archive.pif your_bill.pif your_details.pif your_document.pif your_file.pif your_letter.pif your_product.pif your_text.pif your_website.pif yours.pifThe worm is activated only if the user executes the infected file by double clicking on the attachment. The worm then installs itself to the system, and starts propagating.
Installation
When installing, the worm copies itself to the Windows directory under the name winlogon.exe and registers this file in the system registry auto-run key:[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Sending messages
To harvest email addresses, the worm searches for files with the following extensions:adb asp dbx doc eml htm html msg oft php pl rtf sht tbb txt uin vbs waband sends a copy of itself to all addresses found in these files. The worm uses its own SMTP engine to send messages.
It attempts to send itself via the following SMTP servers:
145.253.2.171 151.189.13.35 193.141.40.42 193.189.244.205 193.193.144.12 193.193.158.10 194.25.2.129 194.25.2.129 194.25.2.130 194.25.2.131 194.25.2.132 194.25.2.133 194.25.2.134 195.185.185.195 195.20.224.234 212.185.252.136 212.185.252.73 212.185.253.70 212.44.160.8 212.7.128.162 212.7.128.165 213.191.74.19 217.5.97.137 62.155.255.16
Deletion of Mydoom
In a similar way to several other worms, Netsky.d is programmed to delete Mydoom from the infected machine. It searches the following branches of the system registry for the Explorer and Taskmon keys:[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]and also deletes the following key:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Other
The worm deletes the keys KasperskyAv and system from the system registry.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
NetSky. d (Kaspersky Lab) - Virus:
W32/Netsky. d@MM (McAfee) - Mal/Generic-L (Sophos)
- Worm.
SomeFool. Gen-1 (ClamAV) - W32/Netsky.
D. worm (Panda) - W32/Netsky.
d@MM (FPROT) - Worm:
Win32/Netsky. D@mm (MS(OneCare)) - Win32.
HLLM. Netsky. 29184 (DrWeb) - Win32/Netsky.
D worm (Nod32) - Win32.
Netsky. D@mm (BitDef7) - I-Worm.
NetSky. AJ (VirusBuster) - Win32:
Netsky-BD [Wrm] (AVAST) - Email-Worm.
Win32. NetSky. D (Ikarus) - Worm/Generic.
BCLV (AVG) - WORM/Netsky.
D. 3 (AVIRA) - W32.
Netsky. D@mm (NAV) - NseCheckFile2() returned 0x00010018 (Norman)
- Worm.
Mail. NetSky. b (Rising) - I-Worm.
NetSky. AJ (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.