W32.Netsky.S@mm

Printer Friendly Page

Discovered: April 05, 2004
Updated: April 05, 2004 3:52:41 PM
Systems Affected: Windows

W32.Netsky.S@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system.

This variant also installs a back door and performs a denial of service attack.

Discovered: April 05, 2004
Updated: April 05, 2004 3:52:41 PM
Systems Affected: Windows

W32.Netsky.S@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files with the following extensions on drives C through Z:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

The email message typically has the following properties:
The from address is spoofed from an address taken from the system.

Subject may be one of the following:
account
postcard
sample
developement
concept
story
report
icq number
e-mail
phone number
personal message
photo document
order
important document
diggest
final version
release
answer
bill
notice
requested document
description
summary
picture document
movie document
approved document
old document
document
mail
letter
homepage
detailed document
powerpoint document
excel document
word document
info
information
text
new document
textfile
user list
improved file
secound document
file
number list
contact list
message
note
improved document
details
instructions
presentation document
abuse list
archive
corrected document
list
approved file
Important
My details
Your information
Your details
Your document
Request
Thank you!
Approved
Hello
Hi

The possible subjects may also be prepended with "Re:".

The message body is composed of several parts:
The first part may be one of:
Hi!
Hello!
<blank>

The second part may be one of the following:
Note that I have attached your document.
My <attachment name>.
The <attachment name>.
I have spent much time for the <attachment name>.
I have spent much time for your document.
Your <attachment name>.
Please notice the attached <attachment name>.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the <attachment name>.
My <attachment name> is attached.
Your <attachment name> is attached.
Please, <attachment name>.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested <attachment name> is attached!
I have sent the <attachment name>.
Please see the <attachment name>.
The <attachment name> is attached.
Here is the <attachment name>.
Please have a look at the <attachment name>.
Please read the <attachment name>.

The third part may be one of the following:
Thanks
Thank you
Yours sincerely
<blank>

The fourth part may be one of:
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com

+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com

+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus
+++ Visit us: www.f-secure.com

+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Norton OnlineAntiVirus
+++ Free trial: www.norton.com

The attachment is constructed in the format <filename>%i.pif where %i is an integer and <filename> is one of the following:
account
postcard
sample
developement
concept
story
report
icq_number
e-mail
phone_number
personal_message
photo_document
order
important_document
diggest
final_version
release
answer
bill
notice
requested_document
description
summary
picture_document
movie_document
approved_document
old_document
document
mail
letter
homepage
detailed_document
powerpoint_document
excel_document
word_document
info
information
text
new_document
textfile
user_list
improved_file
secound_document
file
number_list
contact_list
message
note
improved_document
details
instructions
presentation_document
abuse_list
archive
corrected_document
list
approved_file

When executed, the worm creates the following copies of itself:
%Windir%\EasyAV.exe
%Windir%\uinmzertinmds.opm

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV = %Windir%\EasyAV.exe

The worm creates two processes from the same executable using the following mutex names:
Protect_USUkUyUnUeUtU_Mutex
SyncMutex_USUkUyUnUeUtU

If one process is terminated, the other process will launch another instance of the worm.

This variant also listens for remote connections on TCP port 6789. The back door allows files to be uploaded and executed on the system.

Finally, if the system date is between April 14 and 24 of 2004, the worm will perform a denial of service attack against the following websites:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us