W32/Netsky-R

Category: Viruses and Spyware Protection available since:17 Jun 2009 19:27:13 (GMT)
Type: Win32 worm Last Updated:17 Jun 2009 19:27:13 (GMT)
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Netsky-R is a mass mailing worm which spreads by emailing itself to
addresses harvested from files on local drives.

The worm copies itself to the Windows folder as pandaavengine.exe, as well as
dropping a DLL file to the Windows folder as temp09094283.dll. The worm then
sets the following registry entry so as to run itself on system startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine

The worm tries to delete the following registry entries:

HKR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32
HKR\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKR\System\CurrentControlSet\Services\WksPatch

The worm also attempts to delete a number of other registry entries. Some of the
deleted registry entries are related to the W32/Bagle family of worms.

W32/Netsky-R harvests email addresses from files with the following extensions:

EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS,
RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, PL, HTM,
HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH,
ODS, STM, XLS, PPT

W32/Netsky-R also adds the email address jena@yahoo.cz to the list of addresses
it harvests.

W32/Netsky-R drops the file uinmzertinmds.opm to the Windows folder. This is a
Base64 encoded form of itself.

The email has the following charateristics:

Subject line:

Re: Document<random number>

Message text:

Excuse me,
the important document is attached,
Yours sincerely

Attached file (PIF extension):

Document<random number>

W32/Netsky-R will attempt to launch a Denial Of Service attack on the following
websites between the 12th and 16th April 2004:

www.keygen.us
www.cracks.am
www.emule-project.net
www.emule.de
www.kazaa.com

W32/Netsky-R contains the following encrypted message:

"Yes, true, you have understand it.
Bagle is a shitty guy, he opens a backdoor
and he makes a lot of money. Netsky not, Netsky
is Skynet, a good software, Good guys behind it.
Believe me, or not.
We will release thousands of our
Skynet versions, as long as bagle is there and the
people...


Thanks to Bruce Schneider.
And to all people in cz and russia.


Best regards - We are the only SkyNet."

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy