W32/Netsky.K Worm

 Information about the W32/Netsky.K worm:

W32/Netsky.K is a mass mailing worm. This worm infects Windows systems and spreads through email.

The infected email carries a fake 'From' address, picked up from the infected system.

The subject of the infected email will be any one of the following;

www.paypal.com/<username>
www.<username>.tripod.com
www.<username>.freepage.com, your website"
Yours faithfully, <username>
Your product
Your letter
Your account <username> is expired!
Whats up <username>
Welcome <username>>
To <username>, it's me
Re: your music
Re: part 3
Re: my memberlist
Re: important document part 2
Re: important
Re: hi again
Re: hello again
Re: excel document
Re: corrected homework
Re: Your software
Re: Your requested file
Re: Your file
Re: Your document
Re: Your details
Re: Your data
Re: Your bill
Re: Your application
Re: Read it immediately
Re: Re: Re: word document
Re: Re: Re: Hello <username>, your document"
Re: Re: Hi <username>, your message
Re: Re: Hi <username>, document
Re: Re: <username>, thanks!
Re: My details
Re: I've found your document
Re: Hi <username>, your word file
Re: Hi <username>, your music
Re: Hi <username>, your details
Re: Hi <username>, your archive
Re: Hi <username>, here is the document
Re: Hi <username>, details
Re: Hi <username>
Re: Here <username>, your picture
Re: Hello <username>, your software
Re: Hello <username>, your excel file
Re: Hello <username>, your document
Re: Hello <username>, your bill
Re: Hello <username>, my details
Re: Hello <username>, Approved
Re: Dear <username>, Hi
Re: Dear <username>, Here
Re: Approved
Re: <username>, your text
Re: <username>, thanks!
Na <username>
Moin <username>
Moi <username>
Message to <username>
Love <username>
Is <username>.xls yours?
Is <username>.doc yours?
Hi Mrs. <username>
Hi Mr. <username>
Hi <username>, your product
Hi <username>
Hi
Hey <username>
Hello <username>, your letter
Hello <username>
He <username>
Have a good day <username>
Good morning <username>
Dear <username>
Best<username>
<username>

(Where <user name> is taken from the gathered email addresses, which is usually the portion of the recipient's email address prior to @).

The body of the email will be any one of the following;

Your personal document is attached.
Your file is attached. Use this password for the file: <variable>.
Your file is attached to this mail.
Your document is attached. Your password is <variable>.
Your document is attached to this mail.
The sample is attached.
The important document is attached.
See the attachment for further details.
See the attached file for details. Password is <variable>.
Please read the document. It',27h,'s important.
Please read the attached file. Password for the file is <variable>.
Please have a look at the attached file. Password for decrypting is <variable>.
Please do not forget to read the important document.
Note that I have attached your file.
My details are in the attached file.
I have corrected your document.
I have an interesting document about you.
Here is the file. My password is <variable>.

(Where <variable> is a randomly generated 5-digit number)

The infected email has an attachment with any one of the following names;

yours<username>.pif
your_text<username>.pif
your_product_<username>.pif
your_details<username>.pif
website_<username>.pif
mp3music_<username>.pif
letter_<username>.pif
document_<username>4351.pif
bill_<username>.pif
archive<username>.pif
<username>information.pif
<username>e.pif
<username>document.pif
<username>_your_message_part2.pif
<username>_your_document.pif
<username>_picture.pif
<username>_my_details.pif
<username>_message_details.pif
<username>_file.pif
<username>_document_word.pif
<username>_document_full.pif
<username>_document_excel.pif
<username>_details.pif
<username>_application.pif
<username>_all_document.pif

(Where <user name> is taken from the gathered email addresses, which is usually the portion of the recipient's email address prior to @).

Upon execution of the infected attachment, the worm copies itself as AVPGUARD.EXE in the Windows folder.

The worm modifies registry at the following location to run itself at the startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

.wab
.vbs
.uin
.txt
.tbb
.shtm
.sht
.rtf
.pl
.php
.oft
.msg
.htm
.eml
.doc
.dhtm
.dbx
.cgi
.asp
.adb

The worm skips certain email addresses, which contain the following text strings, to evade security software detection:

ymantec
spam
sophos
skynet
responder
orton
orman
noreply
messagelabs
itdefender
iruslis
icrosoft
freeav
fbi
f-secur
f-pro
cafee
avp
automail
aspersky
antivir
antivi
andasoftwa
abuse

After this, the worm mails itself to these addresses using its own SMTP engine.

The worm may de-activate some variants of W32/Mydoom in the infected system.

This worm first appeared on March 8, 2004.

 Other names of W32/Netsky.K Worm:

This worm is also known as W32.Netsky.K@mm, W32/Netsky@MM, NetSky.K, W32/Netsky-K.