Other versions: .aa, .ac, .b, .c, .d, .e, .m, .o, .q, .r, .t, .x
Email-Worm.Win32.NetSky.y (Kaspersky Lab)
is also known as:
I-Worm.NetSky.y (Kaspersky Lab),
W32/Netsky.x.eml!exe (McAfee), W32.Netsky.X@mm (Symantec), Win32.HLLM.Netsky.based (Doctor Web), W32/Netsky-Y (Sophos), Win32/Netsky.X@mm (RAV), WORM_Netsky.X (Trend Micro), Worm/Netsky.X (H+BEDV), W32/Netsky.X@mm (FRISK), Win32.Netsky.Y@mm (SOFTWIN), Worm.SomeFool.X-msg (ClamAV), W32/Netsky.X.worm (Panda)
This worm spreads via the Internet as a file attached to infected messages.
It is written in Microsoft Visual C++ and packed using PE_Patch+TeLock. The
packed file is 26112 bytes in size, and the unpacked file is 28160 bytes in
size.
Infected messages
The characteristics of infected messages vary according to domain:
Sender's address:
hukanmikloiuo@yahoo.com
Domain ".tc":
Message header:
Re: belge
Message body
mutlu etmek okumak belgili tanimlik belge.
Attachment name
belge.pif
Domain ".se":
Message header
Re: dokumenten
Message body
Behaga läsa dokumenten.
Attachment name
dokumenten.pif
Domain ".fi":
Message header
Re: dokumentoida
Message body
Haluta kuulua dokumentoida.
Attachment name
dokumentoida.pif
Domain ".pl":
Message header
Re: udokumentowac
Message body
Podobac sie przeczytac ten udokumentowac.
Attachment name
udokumentowac.pif
Domain ".no":
Message header
Re: dokumentet
Message body
Behage lese dokumentet.
Attachment name
dokumentet.pif
Domain ".pt":
Message header
Re: original
Message body
Leia por favor o original.
Attachment name
original.pif
Domain ".it":
Message header
Re: documento
Message body
Legga prego il documento.
Attachment name
documento.pif
Domain ".fr":
Message header
Re: document
Message body
Veuillez lire le document.
Attachment name
document.pif
Domain ".de":
Message header
Re: dokument
Message body
Bitte lesen Sie das Dokument.
Attachment name
dokument.pif
Other Domains:
Message header
Re: document
Message body
Please read the document.
Attachment name
document.pif
The worm will be activated only if the user launches the infected file by
clicking twice on the attachment. The worm will then install itself on the system
and start propagating.
Installation
When installing, the worm copies itself under the name FirewallSvr.exe to
the Windows folder and registers this file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvr]
Mass mailing
The worm searches for files with the extensions adb, asp, dbx, doc, eml,
htm, html, msg,
oft, php, pl, rtf, sht, tbb, txt, uin, vbs, É wab, harvest email addresses and
then sends copies of itself to these addresses. It creates a file in the Windows
directory called fuck_you_bagle.txt, and writes its body to this file. This
file is then used to generate infected messages.
Remote administration
The worm opens port 82 and tracks port activity. The backdoor function makes
it possible for files to be downloaded onto the victim machine.
Other
The worm is programmed to carry out DoS attacks between the 27th and 30th
April on the following servers:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de
