Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.NetSky.y
Email-Worm.Win32.NetSky.y
| Detected | Apr 20 2004 12:45 GMT |
| Released | Aug 01 2004 15:50 GMT |
| Published | Apr 20 2004 12:45 GMT |
Technical Details
This worm spreads via the Internet as a file attached to infected messages. It is written in Microsoft Visual C++ and packed using PE_Patch+TeLock. The packed file is 26112 bytes in size, and the unpacked file is 28160 bytes in size.
Infected messages
The characteristics of infected messages vary according to domain:Sender's address:
hukanmikloiuo@yahoo.comDomain ".tc":
Message header:
Re: belge
Message body
mutlu etmek okumak belgili tanimlik belge.
Attachment name
belge.pifDomain ".se":
Message header
Re: dokumenten
Message body
Behaga läsa dokumenten.
Attachment name
dokumenten.pifDomain ".fi":
Message header
Re: dokumentoida
Message body
Haluta kuulua dokumentoida.
Attachment name
dokumentoida.pifDomain ".pl":
Message header
Re: udokumentowac
Message body
Podobac sie przeczytac ten udokumentowac.
Attachment name
udokumentowac.pifDomain ".no":
Message header
Re: dokumentet
Message body
Behage lese dokumentet.
Attachment name
dokumentet.pifDomain ".pt":
Message header
Re: original
Message body
Leia por favor o original.
Attachment name
original.pifDomain ".it":
Message header
Re: documento
Message body
Legga prego il documento.
Attachment name
documento.pifDomain ".fr":
Message header
Re: document
Message body
Veuillez lire le document.
Attachment name
document.pifDomain ".de":
Message header
Re: dokument
Message body
Bitte lesen Sie das Dokument.
Attachment name
dokument.pifOther Domains:
Message header
Re: document
Message body
Please read the document.
Attachment name
document.pif
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. The worm will then install itself on the system and start propagating.
Installation
When installing, the worm copies itself under the name FirewallSvr.exe to the Windows folder and registers this file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvr]
Mass mailing
The worm searches for files with the extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, É wab, harvest email addresses and then sends copies of itself to these addresses. It creates a file in the Windows directory called fuck_you_bagle.txt, and writes its body to this file. This file is then used to generate infected messages.
Remote administration
The worm opens port 82 and tracks port activity. The backdoor function makes it possible for files to be downloaded onto the victim machine.
Other
The worm is programmed to carry out DoS attacks between the 27th and 30th April on the following servers:
www.educa.ch www.medinfo.ufl.edu www.nibis.de
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
NetSky. y (Kaspersky Lab) - Virus:
W32/Netsky. x@MM (McAfee) - W32/Netsky-Y (Sophos)
- Worm.
SomeFool. X (ClamAV) - W32/Netsky.
X. worm (Panda) - W32/Netsky.
X@mm (FPROT) - Worm:
Win32/Netsky. X@mm (MS(OneCare)) - Win32.
HLLM. Netsky. based (DrWeb) - Win32/Netsky.
X worm (Nod32) - Worm.
Generic. 65764 (BitDef7) - I-Worm.
Netsky. BI (VirusBuster) - Win32:
Netsky-BG [Wrm] (AVAST) - Email-Worm.
Win32. NetSky (Ikarus) - I-Worm/Netsky.
X (AVG) - WORM/NetSky.
X (AVIRA) - W32.
Netsky. X@mm (NAV) - Netsky.
X@mm (Norman) - W32/Netsky.
x@MM (NAI) - WORM_NETSKY.
X (PCCIL) - Worm.
NetSky. th (Rising) - Email-Worm.
Win32. NetSky. y [AVP] (FSecure) - WORM_NETSKY.
X (TrendMicro) - NetSky.
y (Sunbelt) - I-Worm.
Netsky. BI (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.