Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Netsky.r@MM

04/01/04 - W32/Netsky.r@MM

This version of the worm bears the following characteristics:

the FSG-packed worm (20,624 bytes) is mailed out to email addresses extracted from the victim machine, attached to mails as a .PIF attachment.
when executed this binary executes Notepad on the victim machine
the binary drops a DLL component (18,944 bytes) which contains the worms functionality (including SMTP engine and mailing routine)
Proactive Detection
The dropped DLL component is detected as W32/Netsky.q@MM with the 4345 DATs or greater.

When executed on desktops protected by McAfee products running the 4345 DATs (with the 4.2.40 engine or greater), the on-access scanner will trigger when the DLL is written to disk.

In this case, the dropper will copy itself to %WinDir% as PANDAAVENGINE.EXE, and Notepad will be executed on the victim machine. No mail-propagation will occur.

Mail Propagation
The worm contains its own SMTP engine to construct messages. Email addresses are harvested from the following file types on the victim machine:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
Additionally, the worm sends mails to the following email address:

jena@yahoo.cz
Outgoing messages are constructed as follows:

From: spoofed, (using harvested email addresses)
Subject: Re: Document%n%
Attachment: DOCUMENT%n%.PIF
Body:
Excuse me,
the important document is attached,
Yours sincerely

where %n% is a random number.

Harvested email addresses are used in spoofing the From: address.

Denial Of Service
If the system time is between April 12th - April 16th, 2004, the worm launches a Denial of Service attack on the following web sites:

www.keygen.us
www.kazaa.com
www.emule-project.net
www.cracks.am
www.emule.de
The worm also removes various Registry keys and files associated with other viruses

More info on this worm:
http://vil.nai.com/vil/content/v_101149.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101149.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top