Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup
 

Win32/NetSky.Z


Win32/NetSky.Z an internet worm spreading via e-mail. Its executable file is encrypted and its size is 22016 bytes.

Note: in the following section instead of the name of the Windows system directory (that can differ from version to version) the symbolic name %windir% is used.

Subject of the e-mail sent by Win32/NetSky.W is chosen randomly from the following list:

Important
Information
Hello
Hi
Document

There is a short message in the body of the e-mail. It is one of the following:

Important informations!
Important textfile!
Important!
Important data!
Important bill!
Important document!
Important notice!
Important details!

There is a single file attached to the message. It is a ZIP archive. Its name is picked from these alternatives:

Informations.zip
Textfile.zip
Part-2.zip
Data.zip
Bill.zip
Important.zip
Notice.zip
Details.zip

The archive contains an executable file with Win32/NetSky.Z. Its name is one of the following:

Informations.txt .exe
Textfile.txt .exe
Part-2.txt .exe
Data.txt .exe
Bill.txt .exe
Important.txt .exe
Notice.txt .exe
Details.txt .exe

The file has two extensions. The first is "txt" with many spaces. The real extension is "exe". Because of the length of this name, the other extension is not necessarily displayed. The file has a "Notepad" icon, so it seems to be a text document.

In order to be automatically executed when the operating system starts, the worm creates an entry called "Jammer2nd" in the the following key of the system Registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
The entry contains a path to the file with the worm.

Upon execution, the worm creates a mutex object called '(S)(k)(y)(N)(e)(t)' to ensure that only one instance of the program is running.
Win32/NetSky.Z copies itself into %windir% as "Jammer2nd.exe".

The worm also drops some files in the Windows directory:

pk_zip_alg.log
pk_zip1.log
pk_zip2.log
pk_zip3.log
pk_zip4.log
pk_zip5.log
pk_zip6.log
pk_zip7.log
pk_zip8.log

These files are used to compose the e-mail message.

E-mail addresses for further spreading of the worm are extracted from files on local harddrives. Win32/Netsky.Z looks into files with following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

The worm contains a backdoor. It waits for connection on TCP port number 665. Any data received is stored to an executable file with random name.
This file is then executed.

If the system date is between May 2 and May 5 2004, the worm performs a Denial of Service attack against these servers:

www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

Win32/NetSky.Z contains this text:

:::::::::::They never learn it!:::::::::::

Win32/NetSky.Z is one of a long series of worms that NOD32 detects using a unique “Advanced Heuristics”, which means that all NOD32 users are protected against this worm from the time it was released in the wild. The detection of Win32/NetSky.Z using sample is added since version 1.730.



PROTECT YOUR COMPUTER!
ESETs NOD32 antivirus software provides comprehensive, easy-to-use, and affordable protection from todays and tomorrows threats. We put the malware expert inside the software, so you don’t have to become one.

DOWNLOAD ESET NOD32 ANTI VIRUS SOFTWARE

 

 
Top of Page Back One Page Print this Page