Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.E@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload Plays sound
Detection files published
Description created 01 Mar 2004 08:06:00
Description updated 01 Mar 2004 02:07:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Netsky.E@mm

Spreading

When run, the worm avoids being installed twice in memory by creating a mutex called "[SkyNet.cz]SystemsMutex".It copies itself to the Windows directory using the name WINLOGON.EXE, and creates a run key in registry so that it is started from bootup.Registry key(s) created by the worm:HKLM\Software\Microsoft\Windows\CurrentVersion   Run ICQ Net"="[WINDIR]\winlogon.exe -stealth Registry key(s) deleted by the worm:HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon HKLM\Software\Microsoft\Windows\CurrentVersion\Run Explorer HKCU\Software\Microsoft\Windows\CurrentVersion\Run Explorer HKCR\CLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 HKLM\Software\Microsoft\Windows\CurrentVersion\Run KasperskyAv HKCU\Software\Microsoft\Windows\CurrentVersion\Run KasperskyAv HKLM\Software\Microsoft\Windows\CurrentVersion\Run System. HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices System. HKLM\Software\Microsoft\Windows\CurrentVersion\Run msgsvr32 HKLM\Software\Microsoft\Windows\CurrentVersion\Run DELETE ME HKCU\Software\Microsoft\Windows\CurrentVersion\Run d3dupdate.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run au.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run service HKCU\Software\Microsoft\Windows\CurrentVersion\Run OLE HKLM\Software\Microsoft\Windows\CurrentVersion\Run Sentry HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF HKLM\System\CurrentControlSetServices\WksPatch HKCU\Software\Microsoft\Windows\CurrentVersion   Run Windows Services Host HKLM\Software\Microsoft\Windows\CurrentVersion   Run Windows Services HostThe worm traverses folders on all drives C: to Z: (if not CD drive), harvesting email addresses from files of types found in word list 1. It then sets up 4 concurrent threads that perform sending of infected emails.Note: Mails may have fake FROM: addresses. "You have sent a virus" warnings from mail scanners are usually not correct.Word list 1: Files searched for email addresses:.eml.txt.php.pl.htm.html.vbs.rtf.uin.asp.wab.doc.adb.tbb.dbx.sht.oft.msg.shtm.cgi.dhtmWord list 2: Email addresses containing the following strings are avoided:icrosoftantiviymantecspamavpf-securitdefenderormancafeeasperskyf-proortonfbiabusemessagelabsskynetWord list 3:Possible email subjects:Statusreportquestiontrust meheyRe: excuse meread it immediatellyhiRe: does it?YepimportanthellodearRe: unknownfake?warningmoinwhat’s up?infoRe: informationHere is itstolenprivate?good morningillegal...errortake itre:Re: Re: Re: Re:you?something for youexceptionRe: heyexcuse meRe: hiRe: does it?Re: importantRe: hellobelieve meQuestiondenied!notificationRe: lollast chance!I’m back!its menotice!ohAnnouncementRe: Thank youRe: DetailsThank youDetailsRe: ApprovedApprovedhi, it’s meThank You very very muchYou use illegal...Your IP was loggedLove isRe: registered?Your request was registeredread now!AttentionScheduleYou have 1 day leftRe: informationautomatic notificationExpired accountautomatic responderRead this messageplease readplease replyRegistration confirmConfirmationConfirmation RequiredReturned MailWord list 4: Possible mail bodies:what means that?help attachedok...that is interesting...i wait for your comment about it.such as yours?read the details.gonna?here is the document.*lol*read it immediately!i found that about you!your hero in the picture?yours?here is it.illegal st. of you?is that true?account?is that your name?picture?message?is that your account?pwd?I wait for an answer!abuse?is that yours?you are a bad writerI don’t know your document!I have your password!you won the rk!something about you!classroom test of you?kill the writer of this document!old photos about you?i hope thats not true!your name is wrong!does it match?i found this document about you.time to fear?really?do you know this????i know your document!did you sent it to me?this file is bad!why should I?pages?her.another pic, have fun! ... :->test itchild porn?greetingsxxx ?stuff about you?your document is not goodsomething is going wrong!your photo is poorinformation about you?the information is wrong!doc about me?kill him on the picture!from the chatter (my photo!)from your lover ;-)love letter?here, the serialsare you a teacherin the picture?here, the introductionis that criminal?here, the cheatsi like your doc!what do you think about it?that’s a funny text.that’s not the truth?do you have?instruct me about this!i lost thati am speachless about your document!is that the reality?replymsgyour design is not good!important?your TAN number?take it easy!why?you are naked in this document! thats wrong!your icq number?i am desperatemodifications?your personal record?yes.misc. and so on. see you!your attachment? verify it.you earn money, see the attachment!is that your attachment?is that your website?you feel the same.meaning of that?possible?you have tried to steal!did you ask me for that?you are badyour job? (I found that!)is that possible?something is going ...something is not okdid you know from this document?wrong calculation! (see the attachment!...never!poor quality!good work!excellent!great!i don’t think so.pretty pic about you?docs?schoolfriend?i want more...here is the next one!attachi#did you see her already?is that your wife?is that your creditcard?is that your photo?do you think so?do you have the bug also?already?forgotten?drugs? ...does it matter?i have received this.best?the truth?your body?your eyes?your face?File is self-decryting.File is damaged.File is bad.i saw you last week!xxx serviceyour account is expired!you cannot hide yourself! (see photo)copyright?what still?who?how?only encrypted!personal message!my advice....i’ve found it about you>>great xxx!man or women?child or adult?here is yours!a crazy doc about youxxx about you?i don’t want your xxx pics!doc?trial?what?;-)i need you!correct it!see this!it’s a secret!this is nothing for kids!it’s so similar as yours!is that your car?do not give up!great job!here is the $%%454$you are sexy in this doc!incest?let it!you look like an ape!you look like an rat?be mad?are you cranky?bob the builderdid you know that?money?is that your car?is this information about you?is that your privacy?is that your TAN?is that your message?is that your cd?is that your finger?our are naked?is that your porn pic?is that your work?is that your family?is that your beast?is that your account?is that your slip?is that your domain?are you the naked one?are you the naked person!are you the one?does it belong to you?do you have sex in the picture?you have a sexy body in the pic!your lie is going around the world!lets talk about it!do you know the thief?are you a photographer?you have done a mistake in the document...its private from medo not show this anyone!new patch is available!this is an attachment message!in your mind?Microsoftfast food...Your bill.try this patch!do you have an orgasm in the picture?Transaction failed. Show the doc!I ’ve found your bill!see your name!You are infected. Read the details!here is my advice.here is my photo!here is the feel free to use it.does it belong to you?Login required! Read the attachment!your document is silly!is the pic a fake?Antispam is turned off. See file!Authentification required. Read the att...solve the problem!do not use my document!do not use this creditcard!do not open the attachment!do not visit the pages on the list I se...explain!tell me more about your document!Your provider will be disabled!Instant patches.Word list 5: Possible file namesdocumentassocialmsgyoursdocwifetalkmessageresponsecreditcarddescriptiondetailsattachmentpicmetrashcardstuffposterpostingportmoneytextfilemoonlightconcertsexyinformationnewsnotenumber_phonebillmydateswimmingpoolclass_photosproductold_photostopsellerpsimportantshowermyauntaboutyouyoursnomoneybirthfounddeathstoryworkermailslettermorewebsiteregardsregidfriendunfoldsjokesdoc_angyour_stufflocation454543403finalschockreleasewebcamdinnerintimate stuffsexualrankingobjectsecretsmail2attach2part2msg2discofreakyvisapartymaterialmiscnothingtransferauctionwarezundefiniedviolenceupdatemasturbationinjectionnaked1naked2tearmusicpaypalidprivacyword_docimageincestWord list 6: Possible file extensions .exe.com.scr.bat.cmdWord list 7: Possible middle file extensions.txt.rtf.doc.htm.jpg.gif

Payload Details

If the system time is between 6am and 9am on the morning of March 2nd 2004, the worm plays beeps of semi-random pitch and duration until the time hits 09.00 or the system time is manually changed.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:15