W32/Netsky.C

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Netsky.C Worm

Information about the W32/Netsky.C worm:

W32/Netsky.C is a mass mailing worm. This worm is a variant of W32/Netsky.B. The worm infects Windows systems. This worm spreads through email and shared drives on network.

Infected mail carries a spoofed 'From' address, picked up randomly from the infected system or from any other shared network drive connected to the infected system.

The subject of the infected mail will be any one of the following;

report
question
trust me
hey
Re: excuse me
read it immediatelly
hi
Re: does it?
Yep
important
hello
dear
Re: unknown
fake?
warning
moin
illegal...
error
take it
re:
Re: Re: Re: Re:
what's up?
info
Re: information
Here is it
stolen
private?
good morning
denied!
notification
Re: <5664ddff?$??º2>
lol
last chance!
I'm back!
its me
you?
something for you
exception
Re: hey
excuse me
Re: hi
Re: does it?
Re: important
Re: hello
believe me
Question

The body of the mail will be any one of the following;

Deliver Error>
*lol*
read it immediately!
i found that about you!
your hero in the picture?
yours?
here is it.
illegal st. of you?
is that true?
account?
is that your name?
picture?
message?
Read the attachment
solve the problem!
<null>
do not use
my document!
do not open the attachment!
do not visit the pages on the list I sent!
explain!
tell me more about your document!
Your provider will be disabled!
Instant patches.
<Message Error>
<Server Error>
what means that?
help attached
<...>
ok...
<Attachment from Poland>
that is interesting...
i wait for your comment about it.
such as yours?
read the details.
gonna?
here is the document.

The infected email has an attachment with any one of the following names;

birth
card
concert
moonlight
death
details
description
creditcard
dinner
disco
doc
yours
doc_ang
jokes
document
final
found
freaky
image
incest
information
sexy
injection
intimate stuff
letter
location
mail2
mails
masturbation
material
me
message
talk
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
misc
number_phone
object
old_photos
part2
party
paypal
pic
attachment
portmoney
posting
poster
privacy
id
product
class_photos

The file extension of the infected attachment will be single or double extension with a combination of the following extensions;

.rtf, .txt, .doc, .htm, .exe, .scr, .com, .pif, .zip

Upon execution of the infected attachment, the worm copies itself as WINLOGON.EXE in the Windows folder. It creates a mutex called SkyNet.cz to check the presence of the worm in system memory. It also checks for a word 'shar' in the available shared folders in both local and network, if found the worm copies itself to these folders using the following filenames;.

Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe

The worm modifies registry at the following location to run itself at the startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system and shared folders;

.php, .pl, .rtf, .sht, .tbb, .txt, .uin, .vbs, .wab, .adb, .asp, .dbx, .doc, .eml, .htm, .html, .msg, .oft

After this, the worm mails itself to these addresses using its own SMTP engine.

The worm may de-activate some variants of W32/Mydoom in the infected system.

This worm first appeared on 25th February, 2004.

Other names of W32/Netsky.C worm:

This worm is also known as W32/Netsky.c@MM, WORM_NETSKY.C, Moodown.C, I-Worm.Moodown.C

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware. Protector Plus antivirus software can detect and remove W32/Netsky.C worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software