W32.Netsky.Y@mm

Printer Friendly Page

Discovered: April 20, 2004
Updated: April 20, 2004 8:56:16 PM
Systems Affected: Windows

W32.Netsky.Y@mm is a mass-mailing worm that sends itself to email addresses it gathers from all non-cdrom drives on the infected system. It is similar in functionality to W32.Netsky.X@mm, differing only in the format of the mail it sends.

Discovered: April 20, 2004
Updated: April 20, 2004 8:56:16 PM
Systems Affected: Windows

W32.Netsky.Y@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files.

It uses its own SMTP engine to send itself to the email addresses it finds.

The email message typically has the following properties:

The email has the following characteristics:
(note: square brackets denote variables)

From: [spoofed]

Subject: Delivery failure notice (ID-[random number])

Message body:
--- Mail Part Delivered ---
220 Welcome to [[random domain]]
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.[random domain]
Exim Status OK

[New/Partial/External/Delivered] message is available.

Attachment: www.[random domain name].[random username].session-[random number].com

When the attachment is executed it copies itself as the following:
%Windir%\FirewallSvr.exe.

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FirewallSvr=%Windir%\FirewallSvr.exe

It creates the following mutex so that only one instance of the worm executes at once:
"____--->>>>U<<<<--____"

It also drops the following MIME-encoded copy of itself on the compromised host:
%Windir%\fuck_you_bagle.txt

The worm listens on TCP port 82 for an attacker to send an executable file to be executed on the host.

If the system clock is between April 28th, 2004 and April 30th, 2004 the worm will attempt to perform a denial of service attack against the following sites:
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

It searches all non-cdrom drives on the compromised system to gather email addresses from files with the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.abd
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

It then sends itself to all e-mail addresses found in the files and to hukanmikloiuo@yahoo.com.

If an email address (someone@hostname.com) is found, the worm will try to employ the default DNS server to retrieve the IP address of the server (hostname.com). It will attempt to use one of the following DNS server upon failure:
212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.2.129
193.193.144.12
212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8