W32/Netsky-S is a mass mailing worm with a backdoor component.
The worm copies itself to the Windows folder using the name
EasyAV.exe, creates a file called uinmzertinmds.opm (a base64
encoded form of the worm) and sets the following registry entry
to auto start on user login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV =
<WindowsFolder>\EasyAV.exe
W32/Netsky-S has a backdoor component listening for connections
on TCP port 6789 allowing an unauthorized program to download and
execute arbitrary code on the infected computer.
The worm harvests email addresses from files on the local
drives with the following extensions:
SHT, ADB, TBB, WAB, DBX, OFT, DOC, MSG
Generated emails typically have the following form:
Subject lines:
Hi
Hello
Re: Hi
Re: Hello
Approved
Re: Approved
Thank you!
Re: Thanks you!
Request
Re: Request
Your document
Re: Your document
Your details
Re: Your details
Your information
Re: Your information
My details
Important
Re: Important
<headings>
"Hi!"
"Hello!"
Message texts:
Please read the <attached_filename>.
Please have a look at the <attached_filename>.
Here is the <attached_filename>.
The <attached_filename> is attached.
Please see the <attached_filename>.
I have sent the <attached_filename>.
The requested <attached_filename> is attached!
Here is the document.
See the document for details.
Please have a look at the attached document.
Please read the attached document.
Your file is attached to this mail.
Please, <attached_filename>.
Your <attached_filename> is attached.
My <attached_filename> is attached.
I have found the <attached_filename>.
Approved, here is the document.
For more information see the attached document.
For more details see the attached document.
Please read quickly.
Please notice the attached document.
Please notice the attached <attached_filename>.
Your <attached_filename>.
I have spent much time for your document.
I have spent much time for the <attached_filename>.
The <attached_filename>.
My <attached_filename>.
Note that I have attached your document.
the message text ends with the following:
Thanks
Thank you
Yours sincerely
<attached_file_header>
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus'
+++ Visit us: www.f-secure.com
Attached file:
approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq number
report
story
concept
developement
sample
postcard
account
Note, the attached filename is concatenated with a random digit and
has a PIF extension.
Between 14 and 23 April 2004 the worm will continously request web
pages from the following sites:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us