Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


W32/Netsky.s@MM

04/06/04 - W32/Netsky.s@MM

This variant of W32/Netsky@MM bears similarities to the previous members of this family. The worm bears the following characteristics:

constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wsh
.wab
.xls
.xml
Contructed messages bear the following characteristics:

From: this is spoofed (using harvested email addresses)
Subject: various subject lines may be used, for example:

Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Hello
Hi
Body: various message bodies may be constructed using a pool of strings within the worm:

Attachment: The attachment has a .PIF extension. The filename is constructed from one of the following strings, with a random number appended to it:

account
postcard
sample
developement
concept
story
report
icq_number
e-mail
phone_number
personal_message
photo_document
order
important_document
diggest
final_version
release
answer
bill
notice
requested_document
description
summary
picture_document
movie_document
approved_document
old_document
document
mail
letter
homepage
detailed_document
powerpoint_document
excel_document
word_document
info
information
text
new_document
textfile
user_list
improved_file
secound_document
file
number_list
contact_list
message
note
improved_document
details
instructions
presentation_document
abuse_list
archive
corrected_document
list
approved_file

More info on this worm:
http://vil.nai.com/vil/content/v_101156.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101156.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

Back to the top