|
Home > Virus > Worms > W32.Netsky.P@mm
Virus Name: W32.Netsky.P@mmAliases: Win32.Netsky.P, ZIP.Netsky.P, W32/Netsky.P@mm, W32/Netsky.p@MM, Win32/Netsky.P.Worm, I-Worm.Netsky.q, Win32.Netsky.P!unpacked, Win32.Netsky.P!corrupt
Netsky is a mass-mailing worm, which spreads via e-mail and file sharing. It arrives as a windows executable file, drops a DLL file, and creates D'r'o'p'p'e'd'S'k'y'N'e't to avoid running multiple copies of it. It then copies itself to %Windows%\FVProtect.exe and writes itself to %Windows%\userconfig9x.dll. It creates a registry entry to run FVProtect.exe on re-start and creates even more files too. Netsky spreads via e-mail using its own SMTP engine using a randomly selected e-mail address chosen from the infected machine for the "from" field or it will use lola@sexnet.com. It also randomly selects the subject line, body text, and attachment name to make it harder to detect. Although its attachment is an executable file, it will have a double extension of either .txt or .doc first, and .pif, .exe, or .scr second. Or it will arrive as a .zip attachment with the inside being document.txt, data.rtf, or details.txt first and .pif, .exe, or .scr second. Once a machine is infected, Netsky will search all of the drives except for cd-roms for files that might have e-mail addresses in them, and will then send copies of it out. However, it won't send itself to any e-mail addresses, which appear to belong to either anti-virus companies, or to Microsoft. If Netsky finds common file sharing folders, it will copy the worm to there too with popular sounding names to encourage downloading. Finally, it will also delete some registry keys as well.
Copyright (c) 2005, 2008 A. Ryan Robbins. All Rights Reserved.
|
|
|