W32/Netsky.w@MM

Discussion in 'malware problems & news' started by Marianna, Apr 16, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 04/16/2004
    Origin: Unknown
    Length: 24,064 bytes
    Type: Virus
    SubType: E-mail

    --Update 04/16/2004 14:30 PST
    W32/Netsky.w@MM has been updated to low-profiled due to press at http://www.techweb.com/wire/story/TWB20040416S0007

    --

    This variant of W32/Netsky is similar to W32/Netsky.n@MM . It bears the following characteristics:

    constructs messages using its own SMTP engine
    harvests email addresses from the victim machine
    spoofs the From: address of messages
    This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.

    Mail Propagation

    Email addresses are harvested from the victim machine. Files with the following extensions are searched:

    .adb
    .asp
    .cgi
    .dbx
    .dhtm
    .doc
    .eml
    .htm
    .html
    .jsp
    .msg
    .oft
    .php
    .pl
    .rtf
    .sht
    .shtm
    .tbb
    .txt
    .uin
    .vbs
    .wab
    .wsh
    .xml
    Constructed messages bear the following characteristics:

    From: (forged address taken from infected system)
    Subject: (Taken from the following list)

    Part 1 (one of the following)

    Re:
    Re: Re:
    Part 2 (one of the following)

    my
    your
    (blank)
    Part 3 (one of the following)

    http://vil.nai.com/vil/content/v_104470.htm
     
Thread Status:
Not open for further replies.