Worm/NetSky.Z - Worm

See also

Full description

Virus:	Worm/NetSky.Z
Date discovered:	21/04/2004
Type:	Worm
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Medium
Damage Potential:	Low
Static file:	Yes
File size:	22.016 Bytes
MD5 checksum:	2f4f05bb09b396579225615ab4121256
VDF version:	6.25.00.60

General Method of propagation:
   • Email

Alias:
   • Symantec: W32.Netsky.Z@mm
   • Mcafee: W32/Netsky.z@MM
   • Kaspersky: Email-Worm.Win32.NetSky.aa
   • TrendMicro: WORM_NETSKY.Z
   • F-Secure: W32/Netsky.Z@mm
   • Grisoft: I-Worm/Netsky.Z
   • VirusBuster: I-Worm.Netsky.Z
   • Bitdefender: Win32.Netsky.AA@mm

Platform / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Registry modification

Files It copies itself to the following location:
   • %WINDIR%\Jammer2nd.exe

It copies itself within an archive to the following location:
   • %WINDIR%\pk_zip_alg.log

The following files are created:

– MIME encoded copies of itself:
   • %WINDIR%\pk_zip1.log
   • %WINDIR%\pk_zip2.log
   • %WINDIR%\pk_zip3.log
   • %WINDIR%\pk_zip4.log
   • %WINDIR%\pk_zip5.log
   • %WINDIR%\pk_zip6.log
   • %WINDIR%\pk_zip7.log
   • %WINDIR%\pk_zip8.log

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\software\microsoft\windows\currentversion\run]
• "Jammer2nd"="%WINDIR%\Jammer2nd.exe"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is spoofed.

To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)
– The following email address:
   • jamainlbbbsdef@yahoo.com

Subject:
One of the following:
   • Document
   • Hello
   • Hi
   • Important
   • Information

Body:
The body of the email is one of the lines:
   • Important informations!
   • Important textfile!
   • Important!
   • Important data!
   • Important bill!
   • Important document!
   • Important notice!
   • Important details!
   • Information

Attachment:
The filename of the attachment is one of the following:
   • Informations.zip
   • Textfile.zip
   • Part-2.zip
   • Data.zip
   • Bill.zip
   • Important.zip
   • Notice.zip
   • Details.zip

Mailing Search addresses:
It searches the following files for email addresses:
   • .ppt; .xml; .wsh; .jsp; .msg; .oft; .sht; .nch; .mmf; .mht; .dbx;
      .tbb; .adb; .xls; .stm; .ods; .dhtm; .cgi; .shtm; .uin; .rtf; .vbs;
      .php; .txt; .eml; .doc; .wab; .asp; .html; .htm; .pl; .mdx; .cfg

Resolving server names:
If the request using the standard DNS fails it continues with the following
It has the ability to contact the following DNS servers:
   • 212.44.160.8; 195.185.185.195; 151.189.13.35; 213.191.74.19;
      193.189.244.205; 145.253.2.171; 193.141.40.42; 194.25.2.134;
      194.25.2.133; 194.25.2.132; 194.25.2.131; 193.193.158.10;
      212.7.128.165; 212.7.128.162; 193.193.144.12; 217.5.97.137;
      195.20.224.234; 194.25.2.130; 194.25.2.129; 212.185.252.136;
      212.185.253.70; 212.185.252.73

Backdoor The following port is opened:

– %executed file% on a random TCP port 665 in order to provide backdoor capabilities.

DoS On 02/05/2004 until 05/05/2004 it performs DoS attacks against the following destinations:
   • www.nibis.de
   • www.medinfo.ufl.edu
   • www.educa.ch

Miscellaneous Mutex:
It creates the following Mutex:
• (S)(k)(y)(N)(e)(t)

String:
Furthermore it contains the following string:
• :::::::::::They never learn it!:::::::::::

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• AS Pack 1.0

See a brief description here.

Inserted by Victor Tone on Thu, 01 Sep 2005 15:53 (GMT+1)
Updated by Victor Tone on Fri, 02 Sep 2005 11:18 (GMT+1)

« Back

Worm/NetSky.Z - Worm

Latest News