Discussion in 'malware problems & news' started by Marianna, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Discovered on: March 10, 2004
    Last Updated on: March 10, 2004 03:26:18 PM

    W32.Netsky.M@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

    The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension.

    This threat is compressed with UPX.

    Symantec Consumer products that support the Worm Blocking functionality automatically detect this threat as it attempts to spread.
    The worm has an MD5 hash value of 0xC32DB5E91758E38CD8A46ACC85109CF2.


    Type: Worm

    When W32.Netsky.K@mm runs, it does the following:

    Creates a mutex named "Rabbo_Mutex". This mutex allows only one instance of the worm to execute.

    Copies itself as %Windir%\AVprotect9x.exe

    Adds the value:


    to the registry key:


    so that the worm runs when you start Windows.

    Retrieves email addresses from the files with the following extensions on drives C through Z:


    Uses its own SMTP engine to send itself to the email addresses it finds. The worm uses the local DNS server (retrieved using an API call), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:

    The email has the following characteristics:

    From: <Spoofed>

    Subject: The subject line is one of the following:

    Re: <%s> Requested file
    Re: <%s> My file
    Re: <%s> My document
    Re: <%s> My information
    Re: <%s> My details
    Re: <%s> Information
    Re: <%s> Improved
    Re: <%s> Requested document
    Re: <%s> Document
    Re: <%s> Details
    Re: <%s> Your document
    Re: <%s> Your details
    Re: <%s> Approved

    Message: The message is one of the following:

    Details for %s.
    Document %s.
    I have received your document. The improved document %s is attached.
    I have attached your document %s.
    Your document %s is attached to this mail.
    Authentification for %s required.
    Requested file %s.
    See the file %s.
    Please read the important message msg_%s.
    Please confirm the document %s.
    %s is attached.
    Your file %s is attached.
    Please read the document %s.
    Your document %s is attached.
    Please read the attached file %s.
    Please see the attached file %s for details..

    Attachment: The attachment is one of the following:


    where %s is the portion of the "To" address before the "@".

Thread Status:
Not open for further replies.