Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.S@mm

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload DoS / Backdoor
Detection files published
Description created 05 Apr 2004 08:12:00
Description updated 05 Apr 2004 08:12:00
Malware type WORM
Alias
Spreading mechanism EMAIL
Summary None

W32/Netsky.S@mm

Spreading

When Netsky.S is executed it creates a mutex named "SyncMutex_USUkUyUnUeUtU" to ensure that only one copy of the worm is running. The worm then copies itself to %SYETEM%\EasyAV.exe and also creates a BASE64 encoded copy of itself in %SYSTEM%\uinmzertinmds.opm. Then the worm creates the following registry value to ensure it is started with Windows: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\   CurrentVersion\Run\EasyAV = "%WINDIR%\EasyAV.exe" Netsky will then launch a thread that searches on all fixed drives (excluding CD-ROM drives) for email addresses in files with these extensions: .ppt    .nch    .mmf    .mht    .xml    .wsh    .jsp    .xls    .stm    .ods    .msg    .oft   .sht    .html   .htm    .pl .dbx    .tbb    .adb.dhtm   .cgi   .shtm   .uin    .rtf    .vbs    .doc    .wab    .asp   .mdx.mbx    .cfg    .php    .txt    .eml Netsky will then send a mail to all of the addresses found with the following characteristics: Subject Re: Important   Important   Re: My details  My details  Re: Your information    Your information    Re: Your details    Your details    Re: Your document   Your document   Re: Request Request Re: Thanks you! Thank you!  Re: Approved    Approved    Re: Hello   Re: Hi  Hello   Hi   Body The body is created in 3 parts from 3 separate word-lists. The first section is one of these strings: Note that I have attached your document.My .The .I have spent much time for the .I have spent much time for your document.Your .Please notice the attached .Please notice the attached document.Please read quickly.For more details see the attached document.For more information see the attached document.Approved, here is the document.I have found the .My is attached.Your is attached.Please, .Your file is attached to this mail.Please read the attached document.Please have a look at the attached document.See the document for details.Here is the document.The requested is attached!I have sent the .Please see the .The is attached.Here is the .Please have a look at the .Please read the .Hello!Hi! Note. The tag will be replaced by the name of the attachment. The second section is created from these strings: Yours sincerelyThank youThanks Followed by: +++ X-Attachment-Type: document        +++ X-Attachment-Status: no virus found        +++ Powered by the new Panda OnlineAntiVirus        +++ Website: www.pandasoftware.com+++ X-Attachment-Type: document        +++ X-Attachment-Status: no virus found        +++ Powered by the new MCAfee OnlineAntiVirus        +++ Homepage: www.mcafee.com+++ X-Attachment-Type: document        +++ X-Attachment-Status: no virus found        +++ Powered by the new F-Secure OnlineAntiVirus        +++ Visit us: www.f-secure.com+++ X-Attachment-Type: document        +++ X-Attachment-Status: no virus found        +++ Powered by the new Norton OnlineAntiVirus        +++ Free trial: www.norton.com Attachment corrected document archive abuse list presentation document instructions details improved document note message contact list number list file secound document improved file user list textfile new document text information info word document excel document powerpoint document detailed document homepage letter mail document old document approved document movie document  picture document summary descriptionrequested document notice bill answer release final version diggest important document order photo document personal message phone number e-mail icq number report story concept developement sample postcard account Appended to the selected attachment name will be a random number followed by a .pif extension.

Payload Details

Between the 14-Apr-2004 and the 24-Apr-2004 Netsky will perform a denial of service attack using HTTP GET requests against these web sites: www.keygen.us   www.freemule.net    www.kazaa.com   www.emule.de    www.cracks.am Netsky also contains backdoor functionality which opens port 6789 for remote connections.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12