Selected viruses, spyware, and other threats: sorted alphabetically
Win32/NetSky.Z an internet worm spreading via e-mail. Its executable file is encrypted and its size is 22016 bytes.
Note: in the following section instead of the name of the Windows system directory (that can differ from version to version) the symbolic name %windir% is used.
Subject of the e-mail sent by Win32/NetSky.W is chosen randomly from the following list:
There is a short message in the body of the e-mail. It is one of the following:
There is a single file attached to the message. It is a ZIP archive. Its name is picked from these alternatives:
The archive contains an executable file with Win32/NetSky.Z. Its name is one of the following:
The file has two extensions. The first is "txt" with many spaces. The real extension is "exe". Because of the length of this name, the other extension is not necessarily displayed. The file has a "Notepad" icon, so it seems to be a text document.
In order to be automatically executed when the operating system starts, the worm creates an entry called "Jammer2nd" in the the following key of the system Registry:
The entry contains a path to the file with the worm.
Upon execution, the worm creates a mutex object called '(S)(k)(y)(N)(e)(t)' to ensure that only one instance of the program is running.
Win32/NetSky.Z copies itself into %windir% as "Jammer2nd.exe".
The worm also drops some files in the Windows directory:
These files are used to compose the e-mail message.
E-mail addresses for further spreading of the worm are extracted from files on local harddrives. Win32/Netsky.Z looks into files with following extensions:
The worm contains a backdoor. It waits for connection on TCP port number 665. Any data received is stored to an executable file with random name.
This file is then executed.
If the system date is between May 2 and May 5 2004, the worm performs a Denial of Service attack against these servers:
Win32/NetSky.Z contains this text:
:::::::::::They never learn it!:::::::::::
Win32/NetSky.Z is one of a long series of worms that NOD32 detects using a unique "Advanced Heuristics", which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/NetSky.Z using sample is added since version 1.730.
1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.