W32/Netsky-AD

Category: Viruses and Spyware Protection available since:20 Aug 2009 17:51:24 (GMT)
Type: Win32 worm Last Updated:20 Aug 2009 17:51:24 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Netsky-AD is a worm that spreads by email and Windows network shares.

When run the worm copies itself to the Windows folder as MsnMsgrs.exe and
creates the following registry entry so as to auto-start on computer
reboot:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsnMsgr = %WINDOWS%\MsnMsgrs.exe -alev

W32/Netsky-AD searches all mapped drives for files with the following
extensions in order to find email adresses:

SCS, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS,
HTML, HTM, PL, PHP, TXT and EML

The worm will also attempt to copy itself to folders containing the words
'share' and 'sharing' on local drives using the following filenames:

vota!.zip.scr
aninha gatinha!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
comoserrico!.zip.scr
vida!!.zip.scr
receitas de bolo!!.zip.scr
celulares!!.zip.scr
clica ai logo meu.scr
rede globo tv!.zip.scr
rocha.scr
paula!.scr
Carnaval em Salvador!!.zip.scr
vadias peladas!!.scr
cafe!!.zip.scr
traficoemSP!.scr
MulataDandoOcujpg.scr
multas.pif
caspa.scr
barrio.scr
ResidentEvil2.zip.scr
puteiros!!.scr
Canaval2004!.jpg.pif
VivaNaBaia!.scr

W32/Netsky-AD may arrive in an email with the following characteristics

Subject line: (randomly chosen from)

:)
morto
Sua saude esta bem?
pescaria por kilo
massas!
impressao!!
robos!
diga
agradou

Message text: (randomly chosen from)

me veja peladinha
gostaria disso e voce???
algo a mais
falea verdade!!!
ganhe muita grana
campanhadafome
pq nao me liga??
sinto voce!!
grana
Lembra?
amor me liga
Hackers do Brasil
Medical Labs Exames!!!
meu telefone liga
ferias nos E.U.A
Surto :(
Vacina contra o HIV!!
sua conta bancaria zerada
olha que isso!!!
parabens!
te amo!
Policia SP
Sua Conta!!
Boleto Pague
veja o que tem no zip e me liga
receitas de bolo!!
acrdito que em voce!!!
promocao de viajens de fim de ano
tudo sobre voce sabe
Proposta de emprego!!
estou doente veja!!!
me diz o queacha?
retorna logo isso!!
arquivo zipado PGP???
voce passou :D!!!
ve ai logo ta
AMA!
AmaVoce
Abra rapido isso!!!!
reza de sao tome!!!!.
veja detalhes!!!.
encontro voce!
preenche ai ta bom
PizzaVeneza!


Attached file: one of the randomly chosen names with a double file extension

AninhaPutinha +55operado6992292246
vaca
tetas
war3!
AIDS!
grana
banco!
revista
lulao!
imposto
jogo!
loterias
vips!
missao
vadias!
email
flipe
botao
sampa!!
contas!!
zerado
:(
criancas!
brasil!
lantrocidade
aqui
docs
festa!!
LINUSTOR
bingos!
agua!
:D
sorteado!!
grana!!
dinheiro!!
carros!
voce
:-)
???
circular


The extension is a combination of TXT, DOC, RTF, HTM, PIF, COM, SCR and BAT.

The file inside the archive will have identical name but a different,
usually double, executable file extension (e.g doc.exe).

When the file is extracted and opened the virus displays the message
box "File Corrupted replace this!!".

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy