Contact
About Avira
Press
Beta test
Language:
English
English
Deutsch
Français
Español
Italiano
Português
Русский
For Home
Avira Antivirus Premium
Avira Internet Security
For Business
Client/Servers
Avira Professional Security
Avira Server Security
Avira Business Security Suite
Avira Endpoint Security
Small Business
Managed Services
Gateways
Avira AntiVir MailGate
Avira MailGate Suite
Avira AntiVir Exchange
Avira AntiVir WebGate
Avira WebGate Suite
Avira AntiVir GateWay Bundle
Avira AntiVir SharePoint
Integration
Anti-Malware SDK (SAVAPI)
Antispam SDK (SPACE)
Rebranding & Bundling
Integration Services
Educational Discount
Support
For Home
Overview
Latest News
Video Tutorials
Knowledgebase
For Business
Overview
Latest News
Knowledgebase
Virus Lab
Virus Descriptions
Statistics
VDF History
About Malware
Viruses In the Wild
Submit Suspicious File
Download
Product Downloads
Technical Documentation
Product Lifecycle
VDF Update
Partner
Partner Locator
Become an Avira Partner
Affiliate
Free
Download
Search
Summary
Full description
Statistics
Alias:
W32.Netsky.AD@mm
Type:
Worm
Size:
31.232 bytes
Origin:
unknown
Date:
10-14-2004
Damage:
Sent by email
VDF Version:
6.28.00.16
Danger:
Low
Distribution:
Medium
General Description
Affected Operating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003
Distribution
Worm/NetSky.AD sends itself to email addresses it can find on the computer. The worm finds the email addresses in files with the following extensions:
.SCS
.adb
.asp
.dbx
.doc
.eml
.htm
.html
.oft
.php
.pl
.rtf
.sht
.tbb
.txt
.uin
.vbs
.wab
The email sent by the virus looks like this:
The body contains one of the following lines:
Policia SP
pq nao me liga??
preenche ai ta bom
promocao de viajens de fim de ano
Proposta de emprego!!
receitas de bolo!!
retorna logo isso!!
reza de sao tome!!!!.
sinto voce!!
sua conta bancaria zerada
Sua Conta!!
Surto :(
AMA!
te amo!
tudo sobre voce sabe
Vacina contra o HIV!!
ve ai logo ta
veja detalhes!!!.
veja o que tem no zip e me liga
voce passou :D!!!
Abra rapido isso!!!!
acrdito que em voce!!!
algo a mais
AmaVoce
amor me liga
arquivo zipado PGP???
Boleto Pague
campanhadafome
encontro voce!
estou doente veja!!!
falea verdade!!!
ferias nos E.U.A
ganhe muita grana
gostaria disso e voce???
grana
Hackers do Brasil
Lembra?
me diz o queacha?
me veja peladinha
Medical Labs Exames!!!
meu telefone liga
olha que isso!!!
parabens!
PizzaVeneza!
The attachment is one of the files below:
AIDS!
LINUSTOR
agua!
aqui
banco!
bingos!
lantrocidade
loterias
lulao!
missao
revista
sampa!!
botao
brasil!
carros!
circular
contas!!
criancas!
dinheiro!!
docs
email
festa!!
flipe
grana!!
grana
imposto
jogo!
sorteado!!
tetas
vaca
vadias!
vips!
voce
war3!
with the extensions:.bat, .com, .pif, .scr, .zip
If the attachment is a .ZIP archive, it contains a worm copy and it has a double extension (for example ".doc.scr"). The double extension is composed out of the following:
.doc
.htm
.rtf
.txt
and, for the second one:
.bat
.com
.pif
.scr
Technical Details
Worm/NetSky.AD is a massmailer, which uses its own SMTP engine to send itself to the emailaddresses it can find on the infected system.
When the worm is activated, it makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MsnMsgr"="%WinDIR%\MsnMsgrs.exe -alev"
The worm deletes the registry entries listed below, if available:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Taskmon"=
"Explorer"=
"KasperskyAv"=
"system."=
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C 87-00AA005127ED}\
"InProcServer32"=
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Taskmon"=
"Explorer"=
When it is started, the worm displays the following text:
"File Corrupted replace this!!"
and copies itself as \%WinDIR%\Msnmsger.exe. The worm creates ZIP archives in Windows directory, with the following names:
AIDS!.zip
LINUSTOR.zip
agua!.zip
aqui.zip
banco!.zip
bingos!.zip
botao.zip
brasil!.zip
jogo!.zip
lantrocidade.zip
loterias.zip
lulao!.zip
missao.zip
revista.zip
sampa!!.zip
sorteado!!.zip
tetas.zip
carros!.zip
circular.zip
contas!!.zip
criancas!.zip
dinheiro!!.zip
docs.zip
email.zip
festa!!.zip
flipe.zip
grana!!.zip
grana.zip
imposto.zip
vaca.zip
vadias!.zip
vips!.zip
voce.zip
war3!.zip
The worm copies itself into all folders containing the string "share" or "sharing", on all drives, from C: to Z:, using the names:
aninha gatinha!.zip.scr
barrio.scr
cafe!!.zip.scr
Canaval2004!.jpg.pif
Carnaval em Salvador!!.zip.scr
aspa.scr
celulares!!.zip.scr
clica ai logo meu.scr
comoserrico!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
MulataDandoOcujpg.scr
multas.pif
paula!.scr
puteiros!!.scr
receitas de bolo!!.zip.scr
rede globo tv!.zip.scr
ResidentEvil2.zip.scr
rocha.scr
raficoemSP!.scr
vadias peladas!!.scr
vida!!.zip.scr
VivaNaBaia!.scr
vota!.zip.scr
Description inserted by Crony Walker on Tuesday, June 15, 2004
Back
.
.
.
.
