W32/Netsky-AA

Discussion in 'malware problems & news' started by Marianna, Apr 27, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    W32/Netsky.aa@MM virus, INFECTED I-Worm.NetSky.ab

    Type
    Win32 worm

    Description
    W32/Netsky-AA is a mass mailing worm. When started the worm copies itself to the Windows folder using the name winlogon.scr and sets the following registry entry to auto start on user logon:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    SkynetsRevenge = <WINDOWS>\winlogon.scr

    W32/Netsky-AA will harvest email addresses from files on any fixed drives with the following extensions:

    EML TXT PHP CFG MBX MDX ASP WAB DOC VBS RTF UIN SHTM CGI DHTM ADB TBB DBX PL HTM HTML SHT OFT MSG ODS STM XLS JSP WSH XML MHT MMF NCH PPT

    The subject lines and message texts are constructed randomly from the following building blocks:

    Subject Lines:

    Re: Document
    Re: Approved
    Re: Text
    Re: Thank you!
    Re: Details
    Re: Photos
    Re: Private
    Re: Information
    Re: Hi
    Re: Hello
    Re: Summary
    Re: Step by Step
    Re: Music
    Re: Application
    Re: Tel. Numbers
    Re: List
    Re: Text file
    Re: Paint file
    Re: Contacts
    Re: e-Books
    Re: Bill
    Re: Error
    Re: Missed
    Re: Letter
    Re: Product
    Re: Website
    Re: Movie
    Re: Presentation
    Re: Advice
    Re: Fax number
    Re: Cheaper
    Re: War
    Re: Demo
    Re: Final
    Re: Poster
    Re: Patch
    Re: Pricelist
    Re: Job

    Message Texts:

    For furher details see the attached file.
    Your file is attached.
    Please read the attached file.
    Please have a look at the attached file.
    Please take the attached file.
    See the attached file for details.
    Please view the attached file.
    Here is the file.
    Your document is attached.

    Attachment names:

    Your_Job.pif
    Your_Pricelist.pif
    Your_Patch.pif
    Your_Poster.pif
    Your_Final_Document.pif
    Your_Demo.pif
    Osam_Bin_Laden_Articel_42.pif
    Your_Product_List.pif
    My_Fax_Numbers.pif
    My_Advice.pif
    Your_Presentation.pif
    Your_Movie.pif
    Your_Website.pif
    Your_Product.pif
    Your_Letter.pif
    Your_Excel_Document.pif
    Your_Error.pif
    Your_Bill.pif
    Your_E-Books.pif
    Your_Contacts.pif
    Your_Paint_File.pif
    Your_Text_File.pif
    Your_List.pif
    My_Telephone_Numbers.pif
    Your_Software.pif
    Your_Music.pif
    Your_Description.pif
    Your_Summary.pif
    Your_Digicam_Pictures.pif
    Your_Information.pif
    Your_Private_Document.pif
    Your_Pics.pif
    Your_Details.pif
    Your_Document_Part3.pif
    Your_Text.pif
    Your_Document.pif

    http://www.sophos.com/virusinfo/analyses/w32netskyaa.html
     
Thread Status:
Not open for further replies.