Content
W32/Netsky.x@MM
- Type
- Virus
- SubType
- E-mail worm
- Discovery Date
- 04/20/2004
- Length
- 26,112 Bytes
- Minimum DAT
- 4348 (04/06/2004)
- Updated DAT
- 4994 (03/28/2007)
- Minimum Engine
- 5.1.00
- Description Added
- 04/20/2004
- Description Modified
- 04/20/2004 10:07 AM (PT)
Tab Navigation
Characteristics
This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.
It bears the following characteristics:
- constructs messages using its own SMTP engine
- harvests email addresses from the victim machine
- spoofs the From: address of messages
- delivers a DoS attack on certain web sites.
Mail Propagation
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .doc
- .eml
- .htm
- .html
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .ppt
- .rtf
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .vbs
- .wsh
- .wab
- .xls
- .xml
Subject : (Taken from the following list ):
- Re: document
- Re: belge
- Re: dokumenten
- Re: dokumentoida
- Re: udokumentowac
- Re: dokumentet
- Re: original
- Re: documento
- Re: dokument
Body: (Taken from the following list) :
- Please read the document
- Bitte lesen Sie das Dokument.
- Veuillez lire le document.
- Legga prego il documento.
- Leia por favor o original.
- Behage lese dokumentet.
- Podobac sie przeczytac ten udokumentowac.
- Haluta kuulua dokumentoida.
- mutlu etmek okumak belgili tanimlik belge.
System Changes
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
- %WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
Denial of Service
If the local system date is between April 28th and April 30th , it targets the following remote servers in a denial of service attack:
- www.educa.ch
- www.nedinfo.ufl.edu
- www.nibis.de
Symptoms
- 212.44.160.8
- 195.185.185.195
- 151.189.13.35
- 213.191.74.19
- 193.189.244.205
- 145.253.2.171
- 193.141.40.42
- 194.25.2.134
- 194.25.2.133
- 194.25.2.132
- 194.25.2.131
- 193.193.158.10
- 212.7.128.165
- 212.7.128.162
- 193.193.144.12
- 217.5.97.137
- 195.20.224.234
- 194.25.2.130
- 194.25.2.129
- 212.185.252.136
- 212.185.253.70
- 212.185.252.73
Method of Infection
This worm spreads by email, constructing messages using its own SMTP engine
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Netsky.X@mm (NAV)
- WORM_NETSKY.X (Trend)
Characteristics
Characteristics -
This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.
It bears the following characteristics:
- constructs messages using its own SMTP engine
- harvests email addresses from the victim machine
- spoofs the From: address of messages
- delivers a DoS attack on certain web sites.
Mail Propagation
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
- .adb
- .asp
- .cfg
- .cgi
- .dbx
- .dhtm
- .doc
- .eml
- .htm
- .html
- .jsp
- .mbx
- .mdx
- .mht
- .mmf
- .msg
- .nch
- .ods
- .oft
- .php
- .pl
- .ppt
- .rtf
- .sht
- .shtm
- .stm
- .tbb
- .txt
- .uin
- .vbs
- .wsh
- .wab
- .xls
- .xml
Subject : (Taken from the following list ):
- Re: document
- Re: belge
- Re: dokumenten
- Re: dokumentoida
- Re: udokumentowac
- Re: dokumentet
- Re: original
- Re: documento
- Re: dokument
Body: (Taken from the following list) :
- Please read the document
- Bitte lesen Sie das Dokument.
- Veuillez lire le document.
- Legga prego il documento.
- Leia por favor o original.
- Behage lese dokumentet.
- Podobac sie przeczytac ten udokumentowac.
- Haluta kuulua dokumentoida.
- mutlu etmek okumak belgili tanimlik belge.
System Changes
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
- %WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
Denial of Service
If the local system date is between April 28th and April 30th , it targets the following remote servers in a denial of service attack:
- www.educa.ch
- www.nedinfo.ufl.edu
- www.nibis.de
Symptoms
Symptoms -
- 212.44.160.8
- 195.185.185.195
- 151.189.13.35
- 213.191.74.19
- 193.189.244.205
- 145.253.2.171
- 193.141.40.42
- 194.25.2.134
- 194.25.2.133
- 194.25.2.132
- 194.25.2.131
- 193.193.158.10
- 212.7.128.165
- 212.7.128.162
- 193.193.144.12
- 217.5.97.137
- 195.20.224.234
- 194.25.2.130
- 194.25.2.129
- 212.185.252.136
- 212.185.253.70
- 212.185.252.73
Method of Infection
Method of Infection -
This worm spreads by email, constructing messages using its own SMTP engine
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
