W32/Netsky-J

Discussion in 'malware problems & news' started by Marianna, Mar 8, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Type
    Win32 worm

    Description
    W32/Netsky-J is a mass mailing worm that uses its own SMTP engine to email itself to addresses harvested from files on local drives.
    In order to run automatically when the user logs on to the computer the worm copies itself to the file winlogon.exe in the Windows folder and creates the following registry entry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
    =<Windows folder>\winlogon.exe -stealth

    Emails have the following characteristics:

    Subject lines:

    Re: Your website
    Re: Your product
    Re: Your letter
    Re: Your archive
    Re: Your text
    Re: Your bill
    Re: Your details
    Re: My details
    Re: Word file
    Re: Excel file
    Re: Details
    Re: Approved
    Re: Your software
    Re: Your music
    Re: Here
    Re: Re: Re: Your document
    Re: Hello
    Re: Hi
    Re: Re: Message
    Re: Your picture
    Re: Here is the document
    Re: Your document
    Re: Thanks!
    Re: Re: Thanks!
    Re: Re: Document
    Re: Document

    Message texts:

    Your file is attached.
    Please read the attached file.
    Please have a look at the attached file.
    See the attached file for details.
    Here is the file.
    Your document is attached.

    Attached filename:

    your_website.pif
    your_product.pif
    your_letter.pif
    your_archive.pif
    your_text.pif
    your_bill.pif
    your_details.pif
    document_word.pif
    document_excel.pif
    my_details.pif
    all_document.pif
    application.pif
    mp3music.pif
    yours.pif
    document_4351.pif
    your_file.pif
    message_details.pif
    your_picture.pif
    document_full.pif
    message_part2.pif
    document.pif
    your_document.pif

    Analysis of W32/Netsky-J is continuing. A fuller description will be available shortly. Please check again later.

    http://www.sophos.com/virusinfo/analyses/w32netskyj.html
     
Thread Status:
Not open for further replies.