Nombre: Win32.Netsky.W@mm
Alias: WORM_NETSKY.W
Tipo: Ejecutable Mensajero Masivo Backdoor
Tamaño: 24 KB
Descubierto: 15.04.2004
Detectado: 15.04.2004
Propagación: Alta
Peligrosidad: Baja
In The Wild:
Síntomas:
File: VisualGuard.exe in the Windows directory
Registry key: HKEY\Software\Microsoft\Windows\CurrentVersion\Run\"NetDy" holding the file name above
Descripción técnica:
The worm comes by mail in the following form:
From: spoofed
Subject: is composed using the following words:
- here
- hi
- hello
- thanks!
- approved
- corrected
- patched
- improved
- important
- read it immediately
- your
- my
- approved
- important
- document
- file
- details
- information
- letter
- product
- website
- application
- screensaver
- bill
- word document
- excel document
- data
- message
- text
- document_all
Body text: one of the following:
- Your details.
- Your document.
- I have received your document. The corrected document is attached.
- I have attached your document.
- Your document is attached to this mail.
- Authentication required.
- Requested file.
- See the file.
- Please read the important document.
- Please confirm the document.
- Your file is attached.
- Please read the document.
- Your document is attached.
- Please read the attached file.
- Please see the attached file for details.
At the end of the body text, there may be three lines saying that the attachment contains no virus.
Attachment: has an executable extension (.pif, .exe or .scr) or .zip and a name from:
- document
- file
- details
- information
- letter
- product
- website
- application
- screensaver
- bill
- word document
- excel document
- data
- message
- text
- document_all
Attachment name may be followed by the recipient's email user name.
- The mail may also contain a GIF picture.
When ran, the worm copies itself in the Windows directory, with the file name:
%WINDIR%\VisualGuard.exe
and creates the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
"NetDy" = "%WINDIR%\VisualGuard.exe"
It scans the hard-drives for e-mail addresses inside files with the following extensions:
- .pl
- .htm
- .html
- .eml
- .txt
- .php
- .asp
- .wab
- .doc
- .vbs
- .rtf
- .uin
- .shtm
- .cgi
- .dhtm
- .adb
- .tbb
- .dbx
- .sht
- .oft
- .msg
- .jsp
- .wsh
- .xml
and sends mail using its own SMTP engine.
The worm attempts to remove some variants of the Mydoom, Welchia and Beagle worms.
The following temporary files are used by the worm, they may be deleted:
- %WINDIR%\base64.tmp -- base64 encoding of the worm file
- %WINDIR%\zipped.tmp -- zipped worm file
- %WINDIR%\zip1-6.tmp -- base64 encodings of the zipped worm file |
Enviale un mensaje ...
