My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.B@mm

HIGH
LOW
22,016 bytes (packed)
(W32/Netsky-B)

Symptoms

- Presence of the following file in Windows directory (%WINDIR%):
services.exe

- Presence of the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service = %WINDIR%\services.exe

Removal instructions:

Let BitDefender delete all the infected files.

Analyzed By

Adrian Gostin BitDefender Virus Researcher

Technical Description:

This mass mailer comes in the following e-mail format:

Subject - randomly chosen from the following strings:
"hello"
"read it immediately"
"something for you"
"warning"
"information"
"stolen"
"fake"
"unknown"

Message body - randomly chosen from the following strings:
"anything ok?"
"what does it mean?"
"ok"
"i'm waiting"
"read the details."
"here is the document."
"read it immediately!"
"my hero"
"here"
"is that true?"
"is that your name?"
"is that your account?"
"i wait for a reply!"
"is that from you?"
"you are a bad writer"
"I have your password!"
"something about you!"
"kill the writer of this document!"
"i hope it is not true!"
"your name is wrong"
"i found this document about you"
"yes, really?"
"that is bad"
"here it is"
"see you"
"greetings"
"stuff about you?"
"something is going wrong!"
"information about you"
"about me"
"from the chatter"
"here, the serials"
"here, the introduction"
"here, the cheats"
"that\'s funny"
"do you?"
"reply"
"take it easy"
"why?"
"thats wrong"
"misc"
"you earn money"
"you feel the same"
"you try to steal"
"you are bad"
"something is going wrong"
"something is fool"

Attached file name - randomly chosen from the following strings:
"document"
"msg"
"doc"
"talk"
"message"
"creditcard"
"details"
"attachment"
"me"
"stuff"
"posting"
"textfile"
"concert"
"information"
"note"
"bill"
"swimmingpool"
"product"
"topseller"
"ps"
"shower"
"aboutyou"
"nomoney"
"found"
"story"
"mails"
"website"
"friend"
"jokes"
"location"
"final"
"release"
"dinner"
"ranking"
"object"
"mail2"
"part2"
"disco"
"party"
"misc"
"#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!"

Attached file extensions - randomly chosen from the following strings:
".exe"
".scr"
".com"
".pif"
".txt"
".rtf"
".doc"
".htm"

When the user double-clicks the attachement, the worm copies itself as
%WINDIR%\services.exe
and adds the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service = %WINDIR%\services.exe,
so it will be automatically executed each time windows starts up.

It then searches the files in the infected computer for e-mail addresses and sends itself to that addresses.
While searching, it tries to copy itself in each directory whose name contains the strings
Share or Sharing, with one of the following names:
'doom2.doc.pif'
'sex sex sex sex.doc.exe'
'rfc compilation.doc.exe'
'dictionary.doc.exe'
'win longhorn.doc.exe'
'e.book.doc.exe'
'programming basics.doc.exe'
'how to hack.doc.exe'
'max payne 2.crack.exe'
'e-book.archive.doc.exe'
'virii.scr'
'nero.7.exe'
'cool screensaver.scr'
'serial.txt.exe'
'office_crack.exe'
'hardcore porn.jpg.exe'
'angels.pif'
'porno.scr'
'matrix.scr'
'photoshop 9 crack.exe'
'strippoker.exe'
'dolly_buster.jpg.pif'
'winxp_crack.exe'