WORM_NETSKY.D - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_NETSKY.D

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.NetSky.d (Kaspersky), W32/Netsky-D (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This memory-resident worm uses its own SMTP engine to propagate via email. It sends email with the following details:

Subject: (any of the following)
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website

Message Body:(any of the following)
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attachment:(any of the following)
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif

Below is a screenshot of a sample email sent out by this worm:

Sample worm email.

This worm drops a copy of itself as the file WINLOGON.EXE in the Windows folder. It creates a thread for searching email addresses, which it gathers from files with specific extensions, in drives C to Z (except for the CD-ROM drive).

(Note: On Windows NT, 2000 and XP, there is a normal application named WINLOGON.EXE in the Windows system folder.)

It connects to a local or several external DNS servers, which it uses as its SMTP server, to search for a mail exchanger that matches the domain yahoo.com.

This malware arrives as a Petite-compressed executable file and is written using Microsoft Visual C++, a high-level programming language.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Note that one reported sample of this NETSKY variant sends the spammed email through BCC. For more information, see Other Details.

For additional information about this threat, see:
Solution
Technical Details

Description created: Mar. 1, 2004 2:17:14 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.