W32.Netsky.M@mm

Discovered on: March 10, 2004
Last Updated on: March 10, 2004 03:26:18 PM

W32.Netsky.M@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives.

The "sender" of the email is spoofed, and its subject, message body, and attachment vary. The attachment has a .pif extension.

This threat is compressed with UPX.



--------------------------------------------------------------------------------
Notes:
Symantec Consumer products that support the Worm Blocking functionality automatically detect this threat as it attempts to spread.
The worm has an MD5 hash value of 0xC32DB5E91758E38CD8A46ACC85109CF2.

--------------------------------------------------------------------------------




Type: Worm

When W32.Netsky.K@mm runs, it does the following:


Creates a mutex named "Rabbo_Mutex". This mutex allows only one instance of the worm to execute.


Copies itself as %Windir%\AVprotect9x.exe


Adds the value:

"9xHtProtect"="%Windir%\AVprotect9x.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.


Retrieves email addresses from the files with the following extensions on drives C through Z:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml


Uses its own SMTP engine to send itself to the email addresses it finds. The worm uses the local DNS server (retrieved using an API call), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:

12.82.159.180
133.9.220.117
137.132.19.110
137.189.6.1
140.117.100.120
163.121.199.3
168.160.212.8
192.150.249.10
194.2.229.10
194.209.114.1
194.85.8.220
195.112.195.34
195.161.113.189
200.74.214.246
202.30.64.5
202.44.144.33
202.99.104.68
203.162.0.11
203.81.44.47
210.66.241.1
211.169.245.170
217.117.203.2
61.100.23.164
62.32.50.204
81.26.161.16


The email has the following characteristics:

From: <Spoofed>

Subject: The subject line is one of the following:

Re: <%s> Requested file
Re: <%s> My file
Re: <%s> My document
Re: <%s> My information
Re: <%s> My details
Re: <%s> Information
Re: <%s> Improved
Re: <%s> Requested document
Re: <%s> Document
Re: <%s> Details
Re: <%s> Your document
Re: <%s> Your details
Re: <%s> Approved

Message: The message is one of the following:

Details for %s.
Document %s.
I have received your document. The improved document %s is attached.
I have attached your document %s.
Your document %s is attached to this mail.
Authentification for %s required.
Requested file %s.
See the file %s.
Please read the important message msg_%s.
Please confirm the document %s.
%s is attached.
Your file %s is attached.
Please read the document %s.
Your document %s is attached.
Please read the attached file %s.
Please see the attached file %s for details..

Attachment: The attachment is one of the following:

improved_%s.pif
message_%s.pif
detailed_%s.pif
your_document_%s.pif
word_doc_%s.pif
doc_%s.pif
articel_%s.pif
picture_%s.pif
file_%s.pif
your_file_%s.pif
details_%s.pif
document_%s.pif
%s.pif

where %s is the portion of the "To" address before the "@".

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.m@mm.html