Internet threat level: 1
Home→Descriptions→Email-Worm.Win32.NetSky.aa
Email-Worm.Win32.NetSky.aa
| Detected | Jun 02 2004 09:06 GMT |
| Released | Mar 25 2010 20:37 GMT |
| Published | Jun 02 2004 09:06 GMT |
Technical Details
This worm spreads via the Internet as an attachment to infected emails.
It possesses a backdoor function, and is capable of conducting DoS attacks on Internet sites.
The worm itself is a PE EXE file of approximately 20KB, packed using UPX.
Installation
The worm copies itself to the Windows directory under the name Jammer2nd.exe, and registers this file in the system registry auto-run key:[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Jammer2nd"="%windir%\jammer2nd.exe"
It also creates files named PK_ZIP_ALG.LOG and PK_ZIP.LOG in the Windows directory.
These files are copies of the worm in UUE format and in a ZIP archive.
The worm creates the mutex (S)(k)(y)(N)(e)(t) to flag its presence in the system.
Propagation via email
The worm searches all accessible network disks for files with the following extensions:
adb asp cfg cgi dbx dhtm doc eml htm html jsp |
mbx mdx mht mmf msg nch ods oft php pl ppt |
rtf sht shtm stm tbb txt uin vbs wab wsh xls |
and harvests email addresses from them, sending a copy of itself to all addresses found. The worm uses its own SMTP library to send messages, and attempts to establish a connection to the server receiving the infected messages.
Characteristics of infected messages
Infected messages are generated randomly from the following:
Sender's address
Chosen at random from addresses found on the victim machine.
Message header (chosen at random from the list below)
Hello Hi Important Important bill! Important data! Important details! Important document! Important informations! Important notice! Important textfile! Important! Information
Attachment name (chosen at random from the list below)
Bill.zip Data.zip Details.zip Important.zip Informations.zip Notice.zip Part-2.zip Textfile.zip
Attached archive files will have a name from the list below
Bill.txt.exe Data.txt.exe Details.txt.exe Important.txt.exe Informations.txt.exe Notice.txt.exe Part-2.txt.exe Textfile.txt.exe
Other
The worm opens TCP port 665 on the victim machine to receive random files and execute them.
Depending on the system clock settings, the worm may conduct DoS attacks on the following sites:
www.educa.ch www.medinfo.ufl.edu www.nibis.de
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).
In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.
Email-Worms use a range of methods to send infected emails. The most common are:
- using a direct connection to a SMTP server using the email directory built into the worm’s code
- using MS Outlook services
- using Windows MAPI functions.
Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:
- the address book in MS Outlook
- a WAB address database
- .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
- emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)
Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.
Email-Worm.
- I-Worm.
NetSky. aa (Kaspersky Lab) - Trojan:
Generic Malware. a!zip (McAfee) - W32/Flcss (Sophos)
- Suspect.
DoubleExtension-zippwd-9 (ClamAV) - W32/FunLove.
4096 (Panda) - W32/FunLove.
4099 (FPROT) - Virus:
Win32/Funlove. 4099 (MS(OneCare)) - Win32.
HLLM. Netsky (DrWeb) - Win32/FunLove.
4070 virus (Nod32) - Win32.
Netsky. AA@mm (BitDef7) - Win32.
FunLove. 4070 (VirusBuster) - Win32:
Netsky-CD [Wrm] (AVAST) - Email-Worm.
Win32. NetSky (Ikarus) - I-Worm/Netsky (AVG)
- W32/FunLove.
4099 (AVIRA) - W32.
FunLove. 4099 (NAV) - Netsky.
Z@mm (Norman) - Win32.
FunLove (Rising) - Win32.
FunLove. 4099 (v) (Sunbelt) - Win32.
FunLove. 4070 (VirusBusterBeta)
© 1997-2012 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.