Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.X@mm


Destructivity NONE NONE
Payload Dos/Backdoor
Detection files published
Description created 20 Apr 2004 03:16:00
Description updated 20 Apr 2004 03:16:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When Netsky.X is executed it creates a mutex named “____--->>>>U Next the worm copies itself to the %WINDIR% folder as “FirewallSvr.exe" and then creates the following registry value to launch itself when Windows starts: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\    CurrentVersion\Run\FirewallSvr" = “%WINDIR%\FirewallSvr.exe" Netsky.X will also create a BASE64 encoded copy of itself called “fuck_you_bagle.txt" in the %WINDIR% directory. Netsky.X then launches a thread that searches on all fixed drives (excluding CD-ROM drives) for email addresses. Only files with the following extensions are searched: .ppt    .nch   .mmf    .mht    .xml    .wsh    .jsp    .xls    .stm    .ods.msg    .oft    .sht    .html  .htm    .pl .dbx    .tbb    .adb    .dhtm   .cgi.shtm   .uin    .rtf    .vbs    .doc    .wab   .asp    .mdx    .mbx    .cfg.php    .txt  .eml     Within its mass mailing routine Netsky.X checks the recipients top level domain (i.e. in order to create the text of the mail in a corresponding language. Supported top level domains are: Turks and Caicos Islands (.tc)Sweden (.se)Finland (.fi)Poland (.pl)Norway (.no) Portugal (.pt)Italy (.it)France (.fr)Denmark (.de) If the top level domain is not on the list then Netsky.X will send the mail in English. The emails will have the following characteristics: Subject Re: belge (.tc)Re: dokumenten (.se)  Re: dokumentoida (.fi)Re: udokumentowac (.pl)Re: dokumentet (.no)Re: original (.pt)Re: documento (.it) Re: document (.fr)Re: dokument (.de)    Re. Document (All other) Body mutlu etmek okumak belgili tanimlik belge. (.tc)Behaga läsa dokumenten. (.se)  Haluta kuulua dokumentoida. (.fi)Podobac sie przeczytac ten udokumentowac. (.pl)Behage lese dokumentet. (.no)Leia por favor o original. (.pt)Legga prego il documento. (.it) Veuillez lire le document. (.fr)Bitte lesen Sie das Dokument. (.de)    Please read the document. (All other) Attachment belge.pif (.tc)dokumenten.pif (.se)  dokumentoida.pif (.fi)udokumentowac.pif (.pl)dokumentet.pif (.no)original.pif (.pt)documento.pif (.it) document.pif(.fr)dokument.pif (.de)    document.pif (All other)

Payload Details

 Netsky.X will attempt to perform a denial of service attack against the following sites between 28-Apr-2004 and 30-Apr-2004 using HTTP GET requests: www.nibis.deThe worm also acts as a backdoor by opening port 82 on an infected machine.





Last Updated: 12 Nov 2015 11:06:11