1. /
  2. Security Response/
  3. W32.Netsky.B@mm

W32.Netsky.B@mm

Risk Level 2: Low

Discovered:
February 18, 2004
Updated:
February 18, 2004 8:55:33 PM
Systems Affected:
Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000
W32.Netsky.B@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files with the following extensions:
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml

The email message typically has the following properties:
From address will be spoofed.

Subject can be one of the following:
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown

Message body can be any of the following:
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool

Attachment name will be one of the following:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc

with one of the following extensions:
.exe
.scr
.com
.pif

When it is executed, it creates the following copy of itself:
%Windir%\Services.exe

It also creates the mutex "AdmSkynetJKIS003".

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service = %Windir%\services.exe -serv

The worm also deletes the following registry entries associated with Mydoom and Mimail variants:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system

To propagate through network drives, the worm searches drives C through Z for folder names containing the strings "Share" or "Sharing". If the drive is writeable, the worm copies itself to the folder and all subfolders as the following:
doom2.doc.pif
sex sex sex sex.doc.exe
rfc compilation.doc.exe
dictionary.doc.exe
win longhorn.doc.exe
e.book.doc.exe
programming basics.doc.exe
how to hack.doc.exe
max payne 2.crack.exe
e-book.archive.doc.exe
virii.scr
nero.7.exe
eminem - lick my pussy.mp3.pif
cool screensaver.scr
serial.txt.exe
office_crack.exe
hardcore porn.jpg.exe
angels.pif
porno.scr
matrix.scr
photoshop 9 crack.exe
strippoker.exe
dolly_buster.jpg.pif
winxp_crack.exe

It also creates the following zip archives in the Windows directory containing copies of the worm:
document.zip
msg.zip
doc.zip
talk.zip
message.zip
creditcard.zip
details.zip
attachment.zip
me.zip
stuff.zip
posting.zip
textfile.zip
concert.zip
information.zip
note.zip
bill.zip
swimmingpool.zip
product.zip
topseller.zip
ps.zip
shower.zip
aboutyou.zip
nomoney.zip
found.zip
story.zip
mails.zip
website.zip
friend.zip
jokes.zip
location.zip
final.zip
release.zip
dinner.zip
ranking.zip
object.zip
mail2.zip
part2.zip
disco.zip
party.zip
misc.zip
Summary| Technical Details

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report