Discovered: April 21, 2004
Updated: April 21, 2004 5:23:18 PM
Also Known As: Netsky.BR [Panda Software]
Systems Affected: Windows
W32.Netsky.Z@mm is a mass-mailing worm that sends itself to email addresses it gathers from all non-cdrom drives on the infected system.
W32.Netsky.Z@mm is a mass-mailing worm that uses its own SMTP engine to send itself to all email addresses it gathers from files.
It uses its own SMTP engine to send itself to the email addresses it finds.
The email message typically has the following properties:
The email has the following characteristics:
Subject may consist of one of the following:
Body of the message will contain one of the following strings:
The attachment, a ZIP archive will have one of the following filenames:
The ZIP archive, will contain one of the following files, the filename is chosen in relation to the name of the ZIP archive:
Bill.txt[Many Space Characters].exe
Informations.txt[Many Space Characters].exe
Textfile.txt[Many Space Characters].exe
Data.txt[Many Space Characters].exe
Details.txt[Many Space Characters].exe
Important.txt[Many Space Characters].exe
Notice.txt[Many Space Characters].exe
Part-2.txt[Many Space Characters].exe
When the attachment is executed it copies itself as the following:
It then creates the following registry entry so that it executes every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Jammer2nd" = "%Windir%\Jammer2nd.exe"
It creates the following mutex so that only one instance of the worm executes at once:
It also drops the following Base64-encoded copies of itself on the compromised host:
%Windir%\PK_ZIP#.LOG (Where # is an integer)
The worm listens on TCP port 665 for an attacker to send an executable file to be executed on the host.
If the system clock is between May 2nd, 2004 and May 5th, 2004 the worm will attempt to perform a denial of service attack against the following sites:
It searches all non-cdrom drives on the compromised system to gather email addresses from files with the following extensions:
If an email address (email@example.com) is found, the worm will try to employ the default DNS server to retrieve the IP address of the server (hostname.com). It will attempt to use one of the following DNS server upon failure: