Printer Friendly Page

Discovered: April 20, 2004
Updated: April 20, 2004 8:56:16 PM
Systems Affected: Windows

W32.Netsky.Y@mm is a mass-mailing worm that sends itself to email addresses it gathers from all non-cdrom drives on the infected system. It is similar in functionality to W32.Netsky.X@mm, differing only in the format of the mail it sends.

Technical Description

W32.Netsky.Y@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files.

It uses its own SMTP engine to send itself to the email addresses it finds.

The email message typically has the following properties:

The email has the following characteristics:
(note: square brackets denote variables)

From: [spoofed]

Subject: Delivery failure notice (ID-[random number])

Message body:
--- Mail Part Delivered ---
220 Welcome to [[random domain]]
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.[random domain]
Exim Status OK

[New/Partial/External/Delivered] message is available.

Attachment: www.[random domain name].[random username].session-[random number].com

When the attachment is executed it copies itself as the following:

It then creates the following registry entry so that it executes every time Windows starts:

It creates the following mutex so that only one instance of the worm executes at once:

It also drops the following MIME-encoded copy of itself on the compromised host:

The worm listens on TCP port 82 for an attacker to send an executable file to be executed on the host.

If the system clock is between April 28th, 2004 and April 30th, 2004 the worm will attempt to perform a denial of service attack against the following sites:

It searches all non-cdrom drives on the compromised system to gather email addresses from files with the following extensions:

It then sends itself to all e-mail addresses found in the files and to hukanmikloiuo@yahoo.com.

If an email address (someone@hostname.com) is found, the worm will try to employ the default DNS server to retrieve the IP address of the server (hostname.com). It will attempt to use one of the following DNS server upon failure: