Alias:W32.Netsky.AD@mm
Type:Worm 
Size:31.232 bytes 
Origin:unknown 
Date:10-14-2004 
Damage:Sent by email 
VDF Version:6.28.00.16 
Danger:Low 
Distribution:Medium 

General DescriptionAffected Operating Systems:
Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP, Windows Server 2003

DistributionWorm/NetSky.AD sends itself to email addresses it can find on the computer. The worm finds the email addresses in files with the following extensions:
.SCS
.adb
.asp
.dbx
.doc
.eml
.htm
.html
.oft
.php
.pl
.rtf
.sht
.tbb
.txt
.uin
.vbs
.wab

The email sent by the virus looks like this:

The body contains one of the following lines:
Policia SP
pq nao me liga??
preenche ai ta bom
promocao de viajens de fim de ano
Proposta de emprego!!
receitas de bolo!!
retorna logo isso!!
reza de sao tome!!!!.
sinto voce!!
sua conta bancaria zerada
Sua Conta!!
Surto :(
AMA!
te amo!
tudo sobre voce sabe
Vacina contra o HIV!!
ve ai logo ta
veja detalhes!!!.
veja o que tem no zip e me liga
voce passou :D!!!
Abra rapido isso!!!!
acrdito que em voce!!!
algo a mais
AmaVoce
amor me liga
arquivo zipado PGP???
Boleto Pague
campanhadafome
encontro voce!
estou doente veja!!!
falea verdade!!!
ferias nos E.U.A
ganhe muita grana
gostaria disso e voce???
grana
Hackers do Brasil
Lembra?
me diz o queacha?
me veja peladinha
Medical Labs Exames!!!
meu telefone liga
olha que isso!!!
parabens!
PizzaVeneza!

The attachment is one of the files below:
AIDS!
LINUSTOR
agua!
aqui
banco!
bingos!
lantrocidade
loterias
lulao!
missao
revista
sampa!!
botao
brasil!
carros!
circular
contas!!
criancas!
dinheiro!!
docs
email
festa!!
flipe
grana!!
grana
imposto
jogo!
sorteado!!
tetas
vaca
vadias!
vips!
voce
war3!

with the extensions:.bat, .com, .pif, .scr, .zip

If the attachment is a .ZIP archive, it contains a worm copy and it has a double extension (for example ".doc.scr"). The double extension is composed out of the following:
.doc
.htm
.rtf
.txt

and, for the second one:
.bat
.com
.pif
.scr

Technical DetailsWorm/NetSky.AD is a massmailer, which uses its own SMTP engine to send itself to the emailaddresses it can find on the infected system.
When the worm is activated, it makes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MsnMsgr"="%WinDIR%\MsnMsgrs.exe -alev"

The worm deletes the registry entries listed below, if available:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Taskmon"=
"Explorer"=
"KasperskyAv"=
"system."=

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C 87-00AA005127ED}\
"InProcServer32"=

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Taskmon"=
"Explorer"=

When it is started, the worm displays the following text:
"File Corrupted replace this!!"
and copies itself as \%WinDIR%\Msnmsger.exe. The worm creates ZIP archives in Windows directory, with the following names:
AIDS!.zip
LINUSTOR.zip
agua!.zip
aqui.zip
banco!.zip
bingos!.zip
botao.zip
brasil!.zip
jogo!.zip
lantrocidade.zip
loterias.zip
lulao!.zip
missao.zip
revista.zip
sampa!!.zip
sorteado!!.zip
tetas.zip
carros!.zip
circular.zip
contas!!.zip
criancas!.zip
dinheiro!!.zip
docs.zip
email.zip
festa!!.zip
flipe.zip
grana!!.zip
grana.zip
imposto.zip
vaca.zip
vadias!.zip
vips!.zip
voce.zip
war3!.zip

The worm copies itself into all folders containing the string "share" or "sharing", on all drives, from C: to Z:, using the names:
aninha gatinha!.zip.scr
barrio.scr
cafe!!.zip.scr
Canaval2004!.jpg.pif
Carnaval em Salvador!!.zip.scr
aspa.scr
celulares!!.zip.scr
clica ai logo meu.scr
comoserrico!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
MulataDandoOcujpg.scr
multas.pif
paula!.scr
puteiros!!.scr
receitas de bolo!!.zip.scr
rede globo tv!.zip.scr
ResidentEvil2.zip.scr
rocha.scr
raficoemSP!.scr
vadias peladas!!.scr
vida!!.zip.scr
VivaNaBaia!.scr
vota!.zip.scr
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .