TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_NETSKY.B
Overview
Solution

Malware type: Worm

Aliases: Email-Worm.Win32.Mydoom.am (Kaspersky), W32.Netsky.AI@mm (Symantec), Worm/Netsky.#1 (Avira), W32/Netsky-B (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 High

Distribution potential:

 High

Description: 

This worm drops copies of itself in shared folders as an executable file, which has two extension names and bears the Microsoft Word icon.

The email that it sends out has the following details:

From:(spoofed and selected from the obtained email addresses)

Subject: (any of the following)
fake
hello
hi
information
read it immediately
something for you
stolen
unknown
warning
Message body: (any of the following)
about me
anything ok?
do you?
from the chatter
greetings
here
here is the document.
here it is
here, the cheats
here, the introduction
here, the serials
i found this document about you
I have your password!
i hope it is not true!
i wait for a reply!
i'm waiting
information about you
is that from you?
is that true?
is that your account?
is that your name?
kill the writer of this document!
misc
my hero
ok
read it immediately!
read the details.
reply
see you
something about you!
something is fool
something is going wrong
something is going wrong!
stuff about you?
take it easy
that is bad
that's funny
thats wrong
what does it mean?
why?
yes, really?
you are a bad writer
you are bad
you earn money
you feel the same
you try to steal
your name is wrong
Attachment: (any of the following)
aboutyou
attachment
bill
concert
creditcard
details
dinner
disco
doc
document
final
found
friend
information
jokes
location
mail2
mails
me
message
misc
msg
nomoney
note
object
part2
party
posting
product
ps
ranking
release
shower
story
stuff
swimmingpool
talk
textfile
topseller
website

The attachment may have two extension names. The first one can be any of the following extensions:

  • DOC
  • HTM
  • RTF
  • TXT

The second extension can be any of the following:

  • COM
  • EXE
  • PIF
  • SCR

The attachment may also arrive compressed in ZIP format. In such case, the attachment has the ZIP extension but the file it carries inside may have one or two file extensions.

It gets its target recipients from files with certain extensions in drives C to Z.

This worm also deletes the autorun registry entries created by the following worms in an attempt to prevent their execution at every system startup:

This UPX-compressed malware runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Feb. 18, 2004 12:00:00 AM GMT -0800
Description updated: May. 17, 2004 12:14:09 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.