Home / malware Win32.Netsky.S@mm
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.Netsky.S@mm is also known as Win32/Netsky.S@mm, (RAV.
Explanation :
The worm spreads via email and infects by executing the attachment.
It was written in C++, compiled using VC6, packed and encrypted.
When run it first checks a mutex named Protect_USUkUyUnUeUtU_Mutex to avoid reinfection of the system. It also creates a second mutex named SyncMutex_USUkUyUnUeUtU which is used by another copy of the worm in order to keep it active if someone tries to remove the worm.
Then it copies itself to %SystemRoot%EasyAV.exe and creates a file called uinmzertinmds.opm in which it encodes a copy of self in base64 data type. The second file will be used later at sending emails by appending it to the email text as attachment data.
Most of the strings used by the worm are encrypted using a translation table for A-Z and a-z characters.
It searches drives from C: through Z: but skipping DVD/CD-ROM drives in specific file types for suitable email addresses, but only up to 32485 (0x7ee5) addresses.
These email addresses are checked to be valid on different hardcoded servers by Mail eXcahnge look-ups. They must also not contain certain strings.
The subject and body message are chosen randomly or crafted from a very long hard-coded list of strings.
It also creates a thread which gives backdoor capabilities to the worm by opening and listening on port 6789. When an attacker sends a file on this port the worm will save it as Rand.exe and execute it, where Rand is a random number in the range 0-32767.
From April 7 2004 the worm resends emails to harvested addresses disregarding the fact that it has been already sent to those addresses; between April 14 and 16 2004 the virus stops sending itself. After that it starts spreading again.
From April 14 to 23 2004 the worm creates a new thread which attempts DoS attacks on the following sites:
www.cracks.am
www.emule.de
www.freemule.net
www.kazaa.com
www.keygen.usLast update 21 November 2011
