Virus Name Risk Assessment
W32/Netsky.u@MM Corporate User : Low
Home User : Low
Discovery Date: 04/07/2004
Length: 18,432 bytes
Release Date: 4350
Minimum Engine: 4.2.40
Description Added: 04/07/2004
Description Modified: 04/07/2004 3:43 PM (PT)
Method Of Infection
Variants / Aliases
Rate This page
Print This Page
Email This Page
This variant of W32/Netsky is very similar to W32/Netsky.t@MM . It bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
Constructed messages bear the following characteristics:
From: T his is spoofed (using harvested email addresses)
Subject: Taken from the following list
Body: Various message bodies may be constructed using a pool of strings within the worm. (some letters have been omitted, replaced with *)
Oh, I got it!
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I 've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another sexy document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
I will send your list to the police!!!!
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your s***** documents!!!
One, two three, more, I have many questions to you document!
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Hey ya, nice document. Do you have more?
Sexy pic abou you?
Do you have a digicam to make your private photos?
More naked...your body is sexy!
Are you naked?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, naked one!
Hey, have you ever seen your photo?
Eat my s***! Your photo is bad.
Do not distribute your naked photos!
Uhaaa! naked... are you cranky?
Your are naked? Tell me more...please!
Hey, private or private..naked?
Pah!...take your private photo, naked and so, and go away.
I have sent your private photo to the police.
What is when I show your private illegal photo the police?
You? Very funny! More available?
I don't want to see your photo!
S***... your photo! naked?
Attachment: The attachment arrives as a .PIF file. The first part of the filename is constructed from one of the following strings
Denial of Service
If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:
The worm installs itself on the victim machine as SYMAV.EXE in the Windows directory:
The following Registry key is added to hook system startup:
\Run "SymAV" = %WinDir%\SymAV.EXE
A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:
Remote Access Component
The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.
Top of Page
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
Existence of the files/Registry keys detailed above
TCP port 6789 open on the victim machine
Para este se ha hecho la utilidad ELINETSA v 2.8 que se subirá a esta web en ciuanto estén replicados los servidores de DNS con la nueva URL de zonavirus.