WORM_NETSKY.AB - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_NETSKY.AB

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.NetSky.ac (Kaspersky), W32/Netsky.ab@MM (McAfee), W32.Netsky.AB@mm (Symantec), Worm/Netsky.AB (Avira), Mal/Generic-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This NETSKY variant propagates via email.

To spread, it sends copies of itself via SMTP (Simple Mail Transfer Protocol). It harvests email addresses from files located in drives C to Z (including fixed, remote and removable drives, but excluding the CD ROM drive), and with particular extension names. This worm also avoids email addresses containing certain substrings.

The details of the email this worm sends out is as follows:

From: <Spoofed>
This value is taken from the list of harvested email addresses.

Subject: (any of the following)
� Correction
� Criminal
� Found
� Funny
� Hurts
� Letter
� Letter
� Money
� More samples
� Numbers
� Only love?
� Password
� Picture
� Pictures
� Privacy
� Question
� Stolen
� Text
� Wow

Message body: (any of the following)
� Are your numbers correct?
� Do you have asked me?
� Do you have more photos about you?
� Do you have more samples?
� Do you have no money?
� Do you have written the letter?
� Does it hurt you?
� Hey, are you criminal?
� How can I help you?
� I've found your creditcard. Check the data!
� I've your password. Take it easy!
� Please do not sent me your illegal stuff again!!!
� Please use the font arial!
� Still?
� The text you sent to me is not so good!
� True love letter?
� Why do you show your body?
� Wow! Why are you so shy?
� You have no chance...
� Your pictures are good!

Attachment: (any of the following)
� abuses.pif
� all_pictures.pif
� corrected_doc.pif
� document1.pif
� hurts.pif
� image034.pif
� loveletter02.pif
� my_stolen_document.pif
� myabuselist.pif
� passwords02.pif
� pin_tel.pif
� visa_data.pif
� your_bill.pif
� your_letter.pif
� your_letter_03.pif
� your_picture.pif
� your_picture01.pif
� your_text.pif
� your_text01.pif

This worm may also use the email address xdfggra@yahoo.com to spoof the "FROM:" field of the malware email messages.

The following are sreenshots of sample email messages sent by this worm:

It also deletes entries created by the BAGLE worm.

It runs on Windows 95, 98, ME, NT, 2000 and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 28, 2004 12:38:20 PM GMT -0800
Description updated: Apr. 28, 2004 4:23:24 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.