My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.AA@mm

HIGH
LOW
22016 bytes (packed)

Symptoms

-the presence of the following files:
  %windir%\\Jammer2nd.exe (the worm, executabla form)
  %windir%\\pk_zip_alg.log (the worm, zipped)
  %windir%\\pk_zip1.log ,pk_zip2.log ,...,pk_zip8.log (the archive in base64 format)

-the presence of the following registry key:
  HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd =   "%windir%\\Jammer2nd.exe"

-firewall warning for an application trying to listen on port 665/TCP

-firewall warning for an application trying to connect to the following addresses:
  www.nibis.de
  www.medinfo.ufl.edu
  www.educa.ch

Removal instructions:

Kill the following process:
  %windir%\\Jammer2nd.exe

Delete the following files:
  %windir%\\Jammer2nd.exe
  %windir%\\pk_zip_alg.log
  %windir%\\pk_zip1.log ,pk_zip2.log ,...,pk_zip8.log

Delete the following registry key:
  HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Jammer2nd

Analyzed By

Marius Botis, virus researcher

Technical Description:

The worm will copy itself in %windir%\\Jammer2nd.exe and will create a registry key to make sure it will be run after the next restart. Then, it will create in %windir% folder the following files:
  pk_zip_alg.log (the worm, zipped),
  pk_zip1.log ,pk_zip2.log ,...,pk_zip8.log (the archive in base64 format).

The worm spreads by e-mail. It searches for e-mail addresses in files having extensions:
  .cfg  .mbx .mdx .htm .html .asp .wab  .doc
  .eml  .txt .php .vbs .rtf  .uin .shtm .cgi
  .dhtm .ods .stm .xls .adb  .tbb .dbx  .mht
  .mmf  .nch .sht .oft .msg  .jsp .wsh  .xml
  .ppt

The e-mails it sents have the following characteristics:

  Subject:
    Important
    Document
    Hello
    Information
    Hi

   Message body:
    Important details!
    Important notice!
    Important document!
    Important bill!
    Important data!
    Important!
    Important textfile!
    Important informations!

The e-mail contains the worm in a zip archive having one of the following names:
  Details.zip
  Notice.zip
  Important.zip
  Bill.zip
  Data.zip
  Part-2.zip
  Textfile.zip
  Informations.zip

The worm can perform a Denial Of Service (DoS) attack on the following sites:
  www.nibis.de
  www.medinfo.ufl.edu
  www.educa.ch

The worm listens on port 665/TCP. It will accept connections, write the data received in a file
%N%.exe and will execute that file (where %N% is a random number).