Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.B@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 17 Feb 2004 03:00:00
Description created 18 Feb 2004 01:10:00
Description updated 18 Feb 2004 11:10:00
Malware type WORM
Alias
Spreading mechanism EMAIL
NETWORK
OTHER
Summary None

W32/Netsky.B@mm

Spreading

When the worm is first run, it will install a mutex "AdmSkynetJklS003" to avoid being loaded twice. It will also show a messagebox saying "The file could not be opened!"
It copies itself to the Windows directory using the name SERVICES.EXE, and adds a run key in registry so that it is started from bootup.
Registry keys created:
HKLM\Software\Microsoft\Windows\CurrentVersion Run service = [WINDIR]\services.exe -serv

Registry keys deleted:
HKCU\Software\Microsoft\Windows\CurrentVersion Run Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion Run Taskmon
HKCU\Software\Microsoft\Windows\CurrentVersion Run Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion Run Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion Run KasperskyAv
HKLM\Software\Microsoft\Windows\CurrentVersion Run System.
HKLM\Software\Microsoft\Windows\CurrentVersion RunServices System.
HKCR\CLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED} InProcServer32
The worm sets up a thread that scans all drives C: to Z: (except CD-ROM drives) for folders that contain the string "share" or "sharing". If such a folder is found the worm copies itself there using many different file names (WL6). Such a folder will often be a P2P share folder, and thus the worm is distrubuted by common P2P software like Kazaa and IMesh as well.
This thread also examines files of types .txt, .php, .pl, .htm, .html, .vbs, .rtf, .uin, .asp, .wab, .doc, .adb, .tbb, .dbx, .sht, .oftand .msg for email addresses to use when sending mail.
Mails and attachment names are composed from word lists.
The composition algorithm is as follows:
6/11 chance : The attachment is a ZIP file, name [WL1].ZIP. The file in the ZIP is named like this:
23/33 chance : [WL1][WL2][WL3]
10/33 chance : [WL1][WL3]
5/11 chance : The attachment is an executable file, unzipped. This is named like this:
7/13 chance : [WL1][WL2][WL3]
6/13 chance : [WL1][WL3]
Examples of possible attachment names:
message.zip (containing message.htm.scr)
swimmingpool.pif
concert.rtf.exe
WL1: First element of attachment file name (40)document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
WL2: Second element of file name (optional)(4).txt
.rtf
.doc
.htm
WL3: Third element of file name (4).exe
.scr
.com
.pif
WL4: Email subjects (9)hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
WL5: Possble email body texts (47)anything ok?
what does it mean?
ok
i’m waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that’s funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
WL6: File names used when copying to P2P share folderswinxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my pussy.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif

Payload Details

n/a

Analysis

n/a

Removal

This worm was proactively detected as W32/EmailWorm using the Lumension Sandbox technology.


Last Updated: 12 Nov 2015 11:06:12