Description
Win32.HLLM.Netsky.17408 [Netsky.AA] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm, packed with PECompact is 17, 408 bytes.
Launching
To secure its automatic execution at every Windows startup the worm adds the value
SkynetsRevenge = \\\"%WinDir%\\\\winlogon.scr\\\"
to the registry entry
HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run
Spreading
The worm scans all drives of the infected system from Z to C in search of e-mail addresses. The files with the following extensions are revised:
.ppt
.nch
.mmf
.mht
.xml
.wsh
.jsp
.xls
.stm
.ods
.msg
.oft
.sht
.html
.htm
.pl
.dbx
.tbb
.adb
.dhtm
.cgi
.shtm
.uin
.rtf
.vbs
.doc
.wab
.asp
.mdx
.mbx
.cfg
.php
.txt
.eml
the worm will not send mails to the addresses with the following strings:
ruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
It determines SMTP addresses using the domain names of retrieved in the affected machine. If its fails, it uses its own addresses the list of which is kept in the worm’s body:
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
62.155.255.16
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
The mail message infected with the worm may look as follows. The sender’s name and address are spoofed by the worm.
The subject is chosen from the following list:
Re: Job
Re: Pricelist
Re: Patch
Re: Poster
Re: Final
Re: Demo
Re: War
Re: Cheaper
Re: Fax number
Re: Advice
Re: Presentation
Re: Movie
Re: Website
Re: Product
Re: Letter
Re: Missed
Re: Error
Re: Bill
Re: e-Books
Re: Contacts
Re: Paint file
Re: Text file
Re: List
Re: Tel. Numbers
Re: Application
Re: Music
Re: Step by Step
Re: Summary
Re: Hello
Re: Hi
Re: Information
Re: Private
Re: Photos
Re: Details
Re: Thank you!
Re: Text
Re: Approved
Re: Document
The message body can be one of the following:
For furher details see the attached file.
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
Please take the attached file.
See the attached file for details.
Please view the attached file.
Here is the file.
Your document is attached.
Attachment:
Your_Job.pif
Your_Pricelist.pif
Your_Patch.pif
Your_Poster.pif
Your_Final_Document.pif
Your_Demo.pif
Osam_Bin_Laden_Articel_42.pif
Your_Product_List.pif
My_Fax_Numbers.pif
My_Advice.pif
Your_Presentation.pif
Your_Movie.pif
Your_Website.pif
Your_Product.pif
Your_Letter.pif
Your_Excel_Document.pif
Your_Error.pif
Your_Bill.pif
Your_E-Books.pif
Your_Contacts.pif
Your_Paint_File.pif
Your_Text_File.pif
Your_List.pif
My_Telephone_Numbers.pif
Your_Software.pif
Your_Music.pif
Your_Description.pif
Your_Summary.pif
Your_Digicam_Pictures.pif
Your_Information.pif
Your_Private_Document.pif
Your_Pics.pif
Your_Details.pif
Your_Document_Part3.pif
Your_Text.pif
Your_Document.pif
Action
Being executed, the worm creates a mutex “MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D”. It drops its copy winlogon.scr to the Windows folder (in Windows 9x/ME/XP it’s C:\\\\Windows, in Windows NT/2000 it’s C:\\\\WINNT ).
