W32.Netsky.T@mm

Printer Friendly Page

Discovered: April 06, 2004
Updated: April 06, 2004 2:35:15 PM
Systems Affected: Windows

W32.Netsky.T@mm is a mass-mailing worm that sends itself to email addresses it gathers from certain files on the system.

This variant also installs a back door and performs a denial of service attack.

Discovered: April 06, 2004
Updated: April 06, 2004 2:35:15 PM
Systems Affected: Windows

W32.Netsky.T@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files with the following extensions on drives C through Z:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

The email message typically has the following properties:
The from address is spoofed from an address taken from the system.

Subject may be one of the following:
Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Hello
Approved file
List
Corrected document
Archive
Abuse list
Presentation document
Instructions
Details
Improved document
Note
Message
Contact list
Number list
File
Secound document
Improved file
User list
Textfile
New document
Text
Information
Info
Word document
Excel document
Powerpoint document
Detailed document
Homepage
Letter
Mail
Document
Old document
Approved document
Movie document
Picture document
Summary
Description
Requested document
Notice
Bill
Answer
Release
Final version
Diggest
Important document
Order
Photo document
Personal message
Phone number
E-mail
Icq number
Report
Story
Concept
Developement
Sample
Postcard
Account

The message body is composed of several parts:
The first part may be one of:
Hi!
Hello!

The second part may be one of the following:
Note that I have attached your document.
My %s.
The %s.
I have spent much time for the %s.
I have spent much time for your document.
Your %s.
Please notice the attached %s.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the %s.
My %s is attached.
Your %s is attached.
Please, %s.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested %s is attached!
I have sent the %s.
Please see the %s.
The %s is attached.
Here is the %s.
Please have a look at the %s.
Please read the %s.

%s is the attachment name.

The third part may be one of the following:
Yours sincerely
Thank you
Thanks

The attachment is constructed in the format <filename>%i.pif where %i is an integer and <filename> is one of the following:
approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final_version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq_number
report
story
concept
developement
sample
postcard
account

When executed, the worm creates the following copies of itself:
%Windir%\EasyAV.exe
%Windir%\uinmzertinmds.opm

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV = %Windir%\EasyAV.exe

The worm creates two processes from the same executable using the following mutex names:
Protect_USUkUyUnUeUtU_Mutex
SyncMutex_USUkUyUnUeUtU

If one process is terminated, the other process will launch another instance of the worm.

This variant also listens for remote connections on TCP port 6789. The back door allows files to be uploaded and executed on the system.

Finally, if the system date is between April 14 and 24 of 2004, the worm will perform a denial of service attack against the following websites:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us