W32.Netsky.X@mm

Printer Friendly Page

Discovered: April 20, 2004
Updated: April 20, 2004 3:18:12 PM
Systems Affected: Windows

W32.Netsky.X@mm is a mass-mailing worm that sends itself to email addresses it gathers from all non-cdrom drives on the infected system.

Discovered: April 20, 2004
Updated: April 20, 2004 3:18:12 PM
Systems Affected: Windows

W32.Netsky.X@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files.

It uses its own SMTP engine to send itself to the email addresses it finds.

The email message typically has the following properties:

The From address is spoofed and the Subject, Body, and Attachment of the email may vary. It has been reported that the attachment has a .pif as extension. Following are some examples of the various fields used in the worm email:
Subject:
Re: dokumenten
Re: dokumentet
Re: dokumentoida
Re: belge
Re: original
Re: udokumentowac
Re: document
Re: document
Re: documento

Message body:
Haluta kuulua dokumentoida.
Legga prego il documento.
Please read the document.
Veuillez lire le document.
Behage lese dokumentet.
Bitte lesen Sie das Dokument.
Leia por favor o original.
mutlu etmek okumak belgili tanimlik belge.

Attachment:
document
documento
original
Podobac sie przeczytac ten udokumentowac.
dokument
dokumentet
udokumentowac

When the attachment is executed it copies itself as the following:
%Windir%\FirewallSvr.exe.

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FirewallSvr=%Windir%\FirewallSvr.exe

It creates the following mutex so that only one instance of the worm executes at once:
"____--->>>>U<<<<--____"

It also drops the following MIME-encoded copy of itself on the compromised host:
%Windir%\fuck_you_bagle.txt

The worm listens on TCP port 82 for an attacker to send an executable file to be executed on the host.

If the system clock is between April 28th, 2004 and April 30th, 2004 the worm will attempt to perform a denial of service attack against the following sites:
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

It searches all non-cdrom drives on the compromised system to gather email addresses from files with the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.abd
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

It then sends itself to all e-mail addresses found in the files and to hukanmikloiuo@yahoo.com.

If an email address (someone@hostname.com) is found, the worm will try to employ the default DNS server to retrieve the IP address of the server (hostname.com). It will attempt to use one of the following DNS server upon failure:
212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.2.129
193.193.144.12
212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8

The worm may also attempt to check the top level domain of the e-mail address and may create the Subject, Message, and Attachment in the language of the country's top level domain.

Some email examples used by the worm are given below:
If the top level domain is .de:
Subject: Re: dokument
Message: Bitte lesen Sie das Dokument.
Attachment: dokument.pif

If the top level domain is .fr:
Subject: Re: document
Message: Veuillez lire le document.
Attachment: document.pif

If the top level domain is .it:
Subject: Re: documento
Message: Legga prego il documento.
Attachment: documento.pif

If the top level domain is .pt:
Subject: Re: original
Message: Leia por favor o original.
Attachment: original.pif

If the top level domain is .no:
Subject: Re: dokumentet
Message: Behage lese dokumentet.
Attachment: dokumentet.pif

If the top level domain is .pl:
Subject: Re: udokumentowac
Message: Podobac sie przeczytac ten udokumentowac.
Attachment: udokumentowac.pif

If the top level domain is .fi:
Subject: Re: dokumentoida
Message: Haluta kuulua dokumentoida.
Attachment: dokumentoida.pif

If the top level domain is .se:
Subject: Re: dokumenten
Message: Behaga lõsa dokumenten.
Attachment: dokumenten.pif

If the top level domain is .tc:
Subject: Re: belge
Message: mutlu etmek okumak belgili tanimlik belge.
Attachment: belge.pif

Otherwise the worm uses the following characteristics:
Subject: Re: document
Message: Please read the document.
Attachment: document.pif