Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.NetSky.m
Email-Worm.Win32.NetSky.m
| Detected | Aug 03 2004 13:03 GMT |
| Released | Oct 25 2004 23:54 GMT |
| Published | Aug 03 2004 13:03 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++. It is approximately 16KB in size and packed using UPX. The unpacked file is approximately 140KB in size.
When launched, the worm recursively scans all disks, starting with C: for files with the following extensions:
adb asp cgi dbx dhtm doc eml htm html jsp msg oft php pl rtf sht shtm tbb txt uin vbs wab wsh xml
It sends copies of itself to email addresses harvested from these files.
Installation
When launching, the worm copies itself to the Windows directory as Avprotect9x.exe. It then registers the full path to this file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:]
9xHtProtect = <%WinDir%>\AVprotect9x.exe
This ensures that the worm will be launched each time Windows is started.
Infected messages
Message header;
Re: <%s> Approved Re: <%s> Details Re: <%s> Document Re: <%s> Improved Re: <%s> Information Re: <%s> My details Re: <%s> My document Re: <%s> My file Re: <%s> My information Re: <%s> Requested document Re: <%s> Requested file Re: <%s> Your details Re: <%s> Your document
Attachment name:
%s articel_%s detailed_%s details_%s doc_%s document_%s file_%s improved_%s message_%s picture_%s word_doc_%s your_document_%s your_file_%s
Message body:
%s is attached. Authentification for %s required. Details for %s. Document %s. I have attached your document %s." I have received your document. The improved document %s is attached. Please confirm the document %s. Please read the attached file %s. Please read the document %s. Please read the important message msg_%s. Please see the attached file %s for details. Requested file %s. See the file %s. Your document %s is attached to this mail. Your document %s is attached. Your file %s is attached.
Signs of infection
The worm opens a group of several ports. The port numbers are increased incrementally across the whole group every few seconds. This behaviour makes it possible to detect the worm by using Kaspersky Anti-Hacker.
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
NetSky. m (Kaspersky Lab) - Worm.
SomeFool. M (ClamAV) - W32/Netsky.
CI. worm (Panda) - Worm:
Win32/Netsky. M@mm. dam#2 (MS(OneCare)) - Win32:
Netsky-CN [Wrm] (AVAST) - Email-Worm.
Win32. NetSky. M (Ikarus) - W32.
Netsky. P@mm (NAV) - Netsky.
M@mm (Norman) - Worm.
Mail. NetSky. lj (Rising) - TROJ_Gen.
BZ0947 (TrendMicro)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.