Aliases: WORM_NETSKY.AA, W32/
[email protected], Win32.Netsky.AA, W32/Netsky-AA
Variants: [email protected]
Classification: Malware
Category: Computer Worm
Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 27 Apr 2004
Damage: Low
Characteristics: [email protected] is a variant of
[email protected] that browses for email addresses on all non-CD-ROM drives on the local drives of the compromised computer. This worm is written and compressed with PECompact. It infects all Windows Operating System. As with many mass mailer worms, they all use their own SMTP engine to send itself to all the email addresses it may find. The worm spreads by email which finds for email addresses in files having extensions .cfg, .mbx, .mdx, .htm, .html,.asp, .wab, .doc, .eml, .txt, .php, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .ods, .stm, .xls, .adb, .tbb, .dbx, .mht, .mmf, .nch, .sht, .oft, .msg, .jsp, .wsh, .xml and .ppt.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
There are several of subject, message and attachment used to send the infection. However, the attachment will always be a “.pif” extension. The subjects in the email usually consist of “Important, Document, Hello, Information and Hi. The message body contains the following: Important details, Important notice, Important document, Important bill, Important data, Important, Important textfile, Important informations. These emails contain attachment named as, Details.zip, Notice.zip, Important.zip, Bill.zip, Data.zip, Part-2.zip, Textfile.zip and Informations.zip. Like many other worms, it will duplicate itself on windows directory folders as “Jammer2nd.exe” and will consequently create a registry key in order for it to run every time windows start. The files usually come in formats of “pk_zip_alg.log, pk_zip1.log, pk_zip2.log and pk_zip8.log which are all zipped. The worm also has the ability to terminate on certain sites such as “www.nibis.de, www.medinfo.ufl.edu and “www.educa.ch.” This worm also displays a fake error box saying, “Out of system memory.”
Reports also claim that the program has the ability to independently download files from the Internet. These files may often consist of malicious software that could further endanger the computer. Similar to most malware programs, the
[email protected] program is usually installed without the consent and knowledge of the user. It uses weaknesses in the security system to make its way to the user’s computer. Typically, the program’s entry into the system is via file downloading and installation from unreliable sources such as questionable P2P networks, free applications and websites. When the
[email protected] program is run, it creates changes in the system that allows a user to use the system itself for malicious purposes.