Summary of W32/Netsky.B@mm
||18 Feb 2004
||18 Feb 2004
|This is a mass mailer that uses its own mail engine; it attempts to improve spreading by copying itself to directories called "Share" or "Sharing". The attachments can be zip files or have double extensions.|
|This is a mass mailer that uses its own mail engine; it attempts to improve spreading by copying itself to directories called "Share" or "Sharing". The attachments can be zip files or have double extensions.
When executed it checks if it is already resident in memory if so it will terminate else it displays a dialog box, see below.
After the user closes that dialog box the worm creates a copy of itself in the windows directory named services.exe. It puts itself in the registry so it gets executed on every startup. The worm achieves that by adding a value called service in the following key.
It also makes an attempt to disable certain software by removing the following values from the registry.
To create forged emails it harvests email addresses from documents that have the following extension, it sends itself to found emails and they are also used to spoof the email sender.
.msg .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .pl .php .txt .eml
The message in the mail body is selected by random from the strings below.
something is fool
something is going wrong
you are bad you try to steal
you feel the same
you earn money
take it easy
here, the cheats
here, the introduction
here, the serials
from the chatter
information about you
something is going wrong!
stuff about you?
here it is
that is bad
i found this document about you your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
read it immediately!
here is the document.
read the details.
ok what does it mean?
And the subject can be one of the following words/sentences:
something for you
read it immediately
The name of the attachments is selected from the list below. And by random it uses double extension,
for example ranking.doc.pif. It can also be a zip archive.
The worm tries to improve its spreading by copying itself to every directory called "Share" and "Sharing".
It goes through drive A to Z on the local machine and searches for those directories. If found,
it copies itself into those directories using the following file names.
photoshop 9 crack.exe
eminem - lick my pussy.mp3.pif
max payne 2.crack.exe
how to hack.doc.exe
sex sex sex sex.doc.exe
If you run the OnDemand Scanner regularly it can be used to disinfect but some viruses, such as Netsky.B@mm, cannot be disinfected in Windows. This is caused by the fact that the virus infects files that Windows uses while running. Thus F-Prot Antivirus cannot access the files to disinfect and it is necessary to disinfect using the DOS scanner (for Windows 95/98/ME) or the Command-line scanner (for Windows NT/2000/XP).
For general disinfection help click here.
After disinfection remove this value from the registry.
|Guidelines on Safe Computing|
- Make sure you always have the
version of F-Prot Antivirus
installed on your computer and
update the virus signature files
- Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.
- Make sure that your operating system
is up-to-date. If you are using Windows,
use Windows Automatic Updates and
download the service packs when they are
released. For more information on keeping
Windows up-to-date, please visit
Windows Update web site.
- If you are using
Internet Explorer / Outlook Express
or Office / Outlook, make
sure that you always have the latest versions. Old versions may contain
security holes that are used by virus writers to access your computer. Please visit
Windows Update web site to update Internet Explorer and Outlook Express and
Office Update web site to update Office and Outlook.
- Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and
possible malicious content on the Internet. For more information click
- Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.
- Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.
- Use software that detects ad-ware and spyware. For more information click
Ragnar Gisli - Senior virus researcher FRISK Software International