Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.NetSky.aa

Other versions: .ac, .b, .c, .d, .e, .m, .o, .q, .r, .t, .x, .y

Aliases
Email-Worm.Win32.NetSky.aa (Kaspersky Lab) is also known as: W32/Netsky.z@MM (McAfee),   W32.Netsky.Z@mm (Symantec),   Win32.HLLM.Netsky.22016 (Doctor Web),   W32/Netsky-AE (Sophos),   Win32/Netsky.Z@mm (RAV),   WORM_NETSKY.Z (Trend Micro),   Worm/NetSky.AA (H+BEDV),   W32/Netsky.AK@mm (FRISK),   I-Worm/Netsky.Z (Grisoft),   Win32.Netsky.AA@mm (SOFTWIN),   Worm.SomeFool.AA-2 (ClamAV),   W32/Netsky.Z.worm (Panda),   Win32/Netsky.Z (Eset)
Description added Jun 02 2004
Behavior Email Worm
Technical details

This worm spreads via the Internet as an attachment to infected emails.

It possesses a backdoor function, and is capable of conducting DoS attacks on Internet sites.

The worm itself is a PE EXE file of approximately 20KB, packed using UPX.

Installation

The worm copies itself to the Windows directory under the name Jammer2nd.exe, and registers this file in the system registry auto-run key: 
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "Jammer2nd"="%windir%\jammer2nd.exe"

It also creates files named PK_ZIP_ALG.LOG and PK_ZIP.LOG in the Windows directory.

These files are copies of the worm in UUE format and in a ZIP archive.

The worm creates the mutex (S)(k)(y)(N)(e)(t) to flag its presence in the system.

Propagation via email

The worm searches all accessible network disks for files with the following extensions: 
adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
 
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
 
rtf
sht
shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls

and harvests email addresses from them, sending a copy of itself to all addresses found. The worm uses its own SMTP library to send messages, and attempts to establish a connection to the server receiving the infected messages.

Characteristics of infected messages

Infected messages are generated randomly from the following:

Sender's address

Chosen at random from addresses found on the victim machine.

Message header (chosen at random from the list below)

Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information

Attachment name (chosen at random from the list below)

Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip

Attached archive files will have a name from the list below

Bill.txt.exe
Data.txt.exe
Details.txt.exe
Important.txt.exe
Informations.txt.exe
Notice.txt.exe
Part-2.txt.exe
Textfile.txt.exe

Other

The worm opens TCP port 665 on the victim machine to receive random files and execute them.

Depending on the system clock settings, the worm may conduct DoS attacks on the following sites:

www.educa.ch
www.medinfo.ufl.edu
www.nibis.de
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com