Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.D@mm


Destructivity LOW LOW
Payload Plays sound
Detection files published
Description created 29 Feb 2004 03:05:00
Description updated 01 Mar 2004 08:47:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When run, the worm avoids being installed twice in memory by creating a mutex called "[]SystemsMutex".
It copies itself to the Windows directory using the name WINLOGON.EXE, and creates a run key in registry so that it is started from bootup.
Registry key(s) created by the worm: HKLMSoftwareMicrosoftWindowsCurrentVersion
Run ICQ Net"="[WINDIR]winlogon.exe -stealth
Registry key(s) deleted by the worm: HKLMSoftwareMicrosoftWindowsCurrentVersionRun Taskmon
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Taskmon
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Explorer
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Explorer
HKLMSoftwareMicrosoftWindowsCurrentVersionRun KasperskyAv
HKCUSoftwareMicrosoftWindowsCurrentVersionRun KasperskyAv
HKLMSoftwareMicrosoftWindowsCurrentVersionRun System.
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices System.
HKLMSoftwareMicrosoftWindowsCurrentVersionRun msgsvr32
HKLMSoftwareMicrosoftWindowsCurrentVersionRun DELETE ME
HKCUSoftwareMicrosoftWindowsCurrentVersionRun d3dupdate.exe
HKCUSoftwareMicrosoftWindowsCurrentVersionRun au.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionRun service
HKCUSoftwareMicrosoftWindowsCurrentVersionRun OLE
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Sentry
HKCUSoftwareMicrosoftWindowsCurrentVersionRun Windows Services Host
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Windows Services Host
The worm traverses folders on all drives C: to Z: (if not CD drive), harvesting email addresses from files of types found in word list 1. It then sets up 8 concurrent threads that perform sending of infected emails.
Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct.
Word list 1: Files searched for email addresses: .eml .txt .php .pl .htm .html .vbs .rtf .uin .asp .wab .doc .adb .tbb .dbx .sht .oft .msg .shtm .cgi .dhtm Word list 2: Email addresses containing the following strings are avoided: icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abuse messagelabs skynet Word list 3: Possible email subjects. Re: Document Re: Re: Document Re: Re: Thanks! Re: Thanks! Re: Your document Re: Here is the document Re: Your picture Re: Re: Message Re: Hi Re: Hello Re: Re: Re: Your document Re: Here Re: Your music Re: Your software Re: Approved Re: Details Re: Excel file Re: Word file Re: My details Re: Your details Re: Your bill Re: Your text Re: Your archive Re: Your letter Re: Your product Re: Your website Word list 4: Possible mail bodies: Your document is attached. Here is the file. See the attached file for details. Please have a look at the attached file. Please read the attached file. Your file is attached. Word list 5: Attachment file names: your_document.pif your_document.pif document.pif message_part2.pif your_document.pif document_full.pif your_picture.pif message_details.pif your_file.pif your_picture.pif document_4351.pif yours.pif mp3music.pif application.pif all_document.pif my_details.pif document_excel.pif document_word.pif my_details.pif your_details.pif your_bill.pif your_text.pif your_archive.pif your_letter.pif your_product.pif your_website.pif

Payload Details

If the system time is between 6am and 9am on the morning of March 2nd 2004, the worm plays beeps of semi-random pitch and duration until the time hits 09.00 or the system time is manually changed.





Last Updated: 12 Nov 2015 11:06:15