Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


Netsky.C

02/25/04 -Netsky.c

Due to an increase in prevalence, AVERT has raised the risk assessment of this threat to MEDIUM.

This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: / Body : (taken from the following list)

Your provider will be disabled!
tell me more about your document!
explain!
do not visit the pages on the list I sent!
do not open the attachment!
do not use this creditcard!
do not use my document!
solve the problem!
Authentification required. Read the attachment!
Antispam is turned off. See file!
is the pic a fake?
your document is silly!
Login required! Read the attachment!
feel free to use it.
here is the
here is my photo!
here is my advice.
You are infected. Read the details!
see your name!
I 've found your bill!
Transaction failed. Show the doc!
do you have an orgasm in the picture?
try this patch!
Your bill.
fast food...
Microsoft
in your mind?
this is an attachment message!
new patch is available!
do not show this anyone!
its private from me
you have done a mistake in the document!
are you a photographer?
do you know the thief?
lets talk about it!
your lie is going around the world!
you have a sexy body in the pic!
do you have sex in the picture?
does it belong to you?
are you the one?
are you the naked person!
are you the naked one?
is that your domain?
is that your slip?
is that your beast?
is that your family?
is that your work?
is that your porn pic?
your are naked?
is that your finger?
is that your cd?
is that your message?
is that your TAN?
is that your privacy?
is this information about you?
money?
did you know that?
bob the builder
are you cranky?
be mad?
you look like an rat?
you look like an ape!
let it!
incest?
you are sexy in this doc!
here is the $%%454$
great job!
do not give up!
is that your car?
it's so similar as yours!
this is nothing for kids!
it's a secret!
see this!
correct it!
i need you!
;-)
what?
trial?
doc?
i don't want your xxx pics!
xxx about you?
a crazy doc about you
here is yours!
child or adult?
man or women?
great xxx!
<< >>
i've found it about you
my advice....
personal message!
only encrypted!
how?
who?
what still?
copyright?
you cannot hide yourself! (see photo)
your account is expired!
xxx service
i saw you last week!
File is bad.
File is damaged.
File is self-decryting.
your face?
your eyes?
your body?
the truth?
best?
i have received this.
does it matter?
drugs? ...
forgotten?
already?
do you have the bug also?
do you think so?
is that your photo?
is that your creditcard?
is that your wife?
did you see her already?
attachi#
here is the next one!
i want more...
<09580985869gj>
schoolfriend?
docs?
pretty pic about you?
i don't think so.
great!
excellent!
good work!
poor quality!
never!
wrong calculation! (see the attachment!)
did you know from this document?
something is not ok
something is going ...
is that possible?
your job? (I found that!)
you are bad
did you ask me for that?
you have tried to steal!
possible?
meaning of that?
you feel the same.
is that your website?
is that your attachment?
you earn money, see the attachment!
your attachment? verify it.
misc. and so on. see you!
yes.
your personal record?
modifications?
i am desperate
your icq number?
thats wrong!
you are naked in this document!
why?
take it easy!
your TAN number?
important?
your design is not good!
msg
reply
is that the reality?
i am speachless about your document!
i lost that
instruct me about this!
do you have?
that's not the truth?
that's a funny text.
what do you think about it?
i like your doc!
here, the cheats
is that criminal?
here, the introduction
are you a teacherin the picture?
here, the serials
love letter?
from your lover ;-)
from the chatter (my photo!)
kill him on the picture!
doc about me?
the information is wrong!
information about you?
your photo is poor
something is going wrong!
your document is not good
stuff about you?
xxx ?
greetings
child porn?
test it
another pic, have fun! ... :->
her.
pages?
why should I?
this file is bad!
did you sent it to me?
i know your document!
do you know this????
really?
time to fear?
i found this document about you.
does it match?
your name is wrong!
i hope thats not true!
old photos about you?
kill the writer of this document!
classroom test of you?
something about you!
you won the rk!
I have your password!
I don't know your document!
you are a bad writer
is that yours?
abuse?
I wait for an answer!
pwd?
is that your account?
message?
picture?
is that your name?
account?
is that true?
illegal st. of you?
here is it.
yours?
your hero in the picture?
i found that about you!
read it immediately!
*lol*
here is the document.
gonna?
read the details.
such as yours?
i wait for your comment about it.
that is interesting...
ok...
<...>
help attached
what means that?
oh
notice!
its me
I'm back!
last chance!
lol
Re: <5664ddff?$??§2>
notification
denied!
Question
believe me
Re: hello
Re: important
Re: hi
excuse me
Re: hey
exception
something for you
you?
Re: Re: Re: Re:
re:
take it
error
illegal...
good morning
private?
stolen
Here is it
Re: information
info
what's up?
moin
warning
fake?
Re: unknown
dear
hello
important
Yep
Re: does it?
hi
read it immediatelly
Re: excuse me
hey
trust me
question
report
Status
Delivery Failed
Attachment: The attachment may be either a ZIP (containing the worm) or an EXE, with either a single or double file extension.

The attachment filename varies (according to strings carried in the worm), for example:

454543403
aboutyou
associal
attach2
auction
transfer
bill
birth
card
concert
moonlight
death
details
description
creditcard
dinner
disco
doc
yours
doc_ang
jokes
document
final
found
freaky
image
incest
information
sexy
injection
intimate stuff
letter
location
mail2
mails
masturbation
material
me
message
talk
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
misc
number_phone
object
old_photos
part2
party
paypal
pic
attachment
portmoney
posting
poster
privacy
id
product
class_photos
ps
ranking
regards
website
more
regid
release
response
schock
secrets
sexual
shower
story
stuff
swimmingpool
tear
textfile
topseller
trash
undefinied
unfolds
friend
update
violence
visa
warez
webcam
wife
word_doc
worker
your_stuff
The file extension may be single or double, where the double extension is constructed from the following:

The first extension may be:

.doc
.htm
.rtf
.text
The last extension is one of the following:

.com
.exe
.pif
.scr
The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.oft
.php
.pl
.rtf
.sht
.shtm
.msg
.tbb
.txt
.uin
.vbs
.wab
It does not send itself to addresses that contain one of the following strings:

abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

Removal Instructions can be found on this page.

http://vil.nai.com/vil/content/v_101048.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

More info on this worm:
http://vil.nai.com/vil/content/v_101048.htm

Back to the top