Virus:Worm/Netsky.S.1
Date discovered:31/03/2004
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:20.624 Bytes
MD5 checksum:5bbb322a70a6a248369f45ece8d9e79b
IVDF version:6.24.00.78 - Wednesday, March 31, 2004

 General Method of propagation:
   • Email


Aliases:
   •  Mcafee: W32/Netsky.r
   •  Sophos: W32/Netsky-R
   •  Panda: W32/Netsky.R.worm
   •  Eset: Win32/Netsky.P
   •  Bitdefender: Win32.Netsky.R@mm


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification

 Files It copies itself to the following location:
   • %WINDIR%\pandaavengine.exe



The following files are created:

%WINDIR%\uinmzertinmds.opm Further investigation pointed out that this file is malware, too. Detected as: Worm/Netsky.R

%WINDIR%\temp09094283.dll Further investigation pointed out that this file is malware, too. Detected as: Worm/Netsky.S.2

 Registry One of the following values is added in order to run the process after reboot:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "PandaAVEngine"="%WINDIR%\PandaAVEngine.exe"

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:
It uses the Messaging Application Programming Interface (MAPI) in order to send emails. The characteristics are further described:


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
The subject of the email is constructed out of the following:

    It starts with one of the following:
   • Re:

    Continued by one of the following:
   • Document

    Continued by one of the following:
   • %number%


Body:
– Contains HTML code.
The body of the email is one of the following:

   • Your document is attached.


Continued by the following:

   • No virus found
     Powered by the new Norton OnlineScan
     Get protected:


Attachment:

–  It starts with one of the following:
   • Document

Continued by one of the following:
   • %number%

    Continued by one of the following fake extensions:
   • .pif

The attachment is a copy of the malware itself.

 Mailing Search addresses:
It searches the following files for email addresses:
   • .xml; .wsh; .jsp; .msg; .oft; .sht; .dbx; .tbb; .adb; .dhtm; .cgi;
      .shtm; .uin; .rtf; .vbs; .doc; .wab; .asp; .php; .txt; .eml; .html;
      .htm; .pl

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Friday, March 5, 2010
Description updated by Petre Galan on Friday, March 5, 2010

Back . . . .