W32/Netsky.U Worm

 Information about the W32/Netsky.U worm:

W32/Netsky.U is a mass mailing worm. This worm is a variant of W32/Netsky.This worm infects Windows systems and spreads through email.

The infected email carries a spoofed 'From' address, picked up from the infected system.

The subject of the infected email will be any one of the following;

Hello
Hey
Hi
Again
It's me
Re: Hello
Reply
Re: Hi

The body of the email will be randomly selected by the combination of the following words;

Hi!
I will send your list to the police!!!!
Hello, here.
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your s<variable string> documents!!!
One, two three, more, I have many questions to you document!
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Oh, I got it!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
Hey ya, nice document. Do you have more?
Abou you?
Sexy pic abou you?
Do you have a digicam to make your private photos?
More naked...your body is sexy!
Naked, you?
Are you naked?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, naked one!
Hey, have you ever seen your photo?
Eat my s<variable string>! Your photo is bad.
Do not distribute your naked photos!
Uhaaa! naked... are you cranky?
Your are naked? Tell me more...please!
Hey, private or private..naked?
Pah!...take your private photo, naked and so, and go away.
I have sent your private photo to the police.
What is when I show your private illegal photo the police?
You? Very funny! More available?
Idon't want to see your photo!
S<variable string>... your photo! naked?
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
Passwordlist? yours?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I 've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another sexy document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!

The infected email attachment will be a random string followed by a random number with .pif extension.

Upon execution of the infected attachment, the worm copies itself as SYMAV.EXE in the Windows folder. The worm also creates a file F<variable string>_YOU_BAGLE.TXT in the Windows folder.

The worm modifies registry at the following location to run itself at the startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

.pl, .rtf, .oft, .txt, .uin, .jsp, .tbb, .cgi, .sht, .vbs, .doc, .dbx, .asp, .adb, .php, .htm, .eml, .xml, .wab, .wsh, .msg, .html, .dhtm, .shtm

The worm mails itself to these addresses using its own SMTP engine.

The worm opens port 6789 to allow access to the infected system. It also attempts to perform a DOS attack on the following sites, if the system date is between April 14 and April 23;

www.emule.de
www.freemule.net
www.keygen.us
www.cracks.am
www.kazaa.com

This worm first appeared on April 7, 2004.

 Other names of W32/Netsky.U Worm:

This worm is also known as WORM_NETSKY.U, W32/Netsky.u@MM, Netsky.U, W32/Netsky-U