W32.Netsky.Z@mm

Printer Friendly Page

Discovered: April 21, 2004
Updated: April 21, 2004 5:23:18 PM
Also Known As: Netsky.BR [Panda Software]
Systems Affected: Windows

W32.Netsky.Z@mm is a mass-mailing worm that sends itself to email addresses it gathers from all non-cdrom drives on the infected system.

Discovered: April 21, 2004
Updated: April 21, 2004 5:23:18 PM
Also Known As: Netsky.BR [Panda Software]
Systems Affected: Windows

W32.Netsky.Z@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files.

It uses its own SMTP engine to send itself to the email addresses it finds.

The email message typically has the following properties:

The email has the following characteristics:

From: [spoofed]

Subject may consist of one of the following:
Important
Hello
Information
Hi
Document

Body of the message will contain one of the following strings:
Importantdetails!
Importantdocument!
Importanttextfile!
Important!
Information
Importantbill!
Importantdata!
Importantinformations!
Importantnotice!

The attachment, a ZIP archive will have one of the following filenames:
Details.zip
Informations.zip
Important.zip
Bill.zip
Notice.zip
Data.zip
Part-2.zip
Textfile.zip

The ZIP archive, will contain one of the following files, the filename is chosen in relation to the name of the ZIP archive:
Bill.txt[Many Space Characters].exe
Informations.txt[Many Space Characters].exe
Textfile.txt[Many Space Characters].exe
Data.txt[Many Space Characters].exe
Details.txt[Many Space Characters].exe
Important.txt[Many Space Characters].exe
Notice.txt[Many Space Characters].exe
Part-2.txt[Many Space Characters].exe

When the attachment is executed it copies itself as the following:
%Windir%\Jammer2nd.exe

It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Jammer2nd" = "%Windir%\Jammer2nd.exe"

It creates the following mutex so that only one instance of the worm executes at once:
"(S)(K)(y)(N)(e)(t)"

It also drops the following Base64-encoded copies of itself on the compromised host:
%Windir%\PK_ZIP#.LOG (Where # is an integer)
%Windir%\pk_zip_alg.log

The worm listens on TCP port 665 for an attacker to send an executable file to be executed on the host.

If the system clock is between May 2nd, 2004 and May 5th, 2004 the worm will attempt to perform a denial of service attack against the following sites:
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

It searches all non-cdrom drives on the compromised system to gather email addresses from files with the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.abd
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

If an email address (someone@hostname.com) is found, the worm will try to employ the default DNS server to retrieve the IP address of the server (hostname.com). It will attempt to use one of the following DNS server upon failure:
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
217.5.97.137
151.189.13.35
193.141.40.42
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
145.253.2.171
212.7.128.162
212.7.128.165
213.191.74.19
193.189.244.205