W32.Netsky.R@mm

Printer Friendly Page

Discovered: March 31, 2004
Updated: March 31, 2004 5:18:58 PM
Systems Affected: Windows

W32.Netsky.R@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system.

Discovered: March 31, 2004
Updated: March 31, 2004 5:18:58 PM
Systems Affected: Windows

W32.Netsky.R@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files with the following extensions on drives C through Z:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

The email message typically has the following properties:
The from address is spoofed from an address taken from the system.

Subject:
RE: Document [%i] (where [%i] may be a random number)

Message body:
Excuse me,
the important document is attached,
Your sincerely

Attachment: Document[%i].pif

When executed, the worm creates the following copies of itself:
%windir%\PandaAVEngine.exe
%windir%\temp09094283.dll
%windir%\uinmzertinmds.opm

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine = %windir%\PandaAVEngine.exe

When the worm performs its mass-mailing routine, it may also send a message to the address jena@yahoo.cz.

Finally, if the system date is between April 12 and 16 of 2004, the worm will perform a denial of service attack against the following websites:
www.keygen.us
www.kazaa.com
www.emule-project.net
www.cracks.am
www.emule.de