18.432 bytes (modified&packed UPX ), ~50K unpacked
Presence of AntiAv.exe fie in %SystemRoot% folder (e.g. in c:\Windows)
Presence of string "EasyAV" in startup registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run", that points to "%SystemRoot%\EasyAV.exe".
Presence of two identical processes in the task list, none of which can be terminated in the usual manner.
Let BitDefender erase the infected files.
Mihai Chiriac, Patrick Vicol BitDefender Virus Researchers
This is the first version of netsky to include a backdoor component.
A compressed and encrypted hardcoded text string exists in the worm body:
"Now we have programmed our backdoor, it cannot be used for spam relaying,only for Skynet distribution,
our advice: educate the users or update the smtp protocol, and heuristics cannot detect Skynet, becauses
numerous scambler, compressors, and protectors exists including programming new features.
Thanks to russia, and thanks to CCC
09:34 A.M, Russia"
The backdoor component listens on port 6789. If the attacker sends an executable file, the worm will download and execute it immediately.
If the system date is between 14.04.2004 and 23.04.2004, the worm will start a "Denial-Of-Service” attack against several websites: (www.keygen.us, www.freemule.net, www.kazaa.com, www.emule.de, www.cracks.am).