[email protected]

Aliases: WORM_NETSKY.AA, W32/[email protected], Win32.Netsky.AA, W32/Netsky-AA
Variants: [email protected]

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 27 Apr 2004
Damage: Low

Characteristics: [email protected] is a variant of [email protected] that browses for email addresses on all non-CD-ROM drives on the local drives of the compromised computer. This worm is written and compressed with PECompact. It infects all Windows Operating System. As with many mass mailer worms, they all use their own SMTP engine to send itself to all the email addresses it may find. The worm spreads by email which finds for email addresses in files having extensions .cfg, .mbx, .mdx, .htm, .html,.asp, .wab, .doc, .eml, .txt, .php, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .ods, .stm, .xls, .adb, .tbb, .dbx, .mht, .mmf, .nch, .sht, .oft, .msg, .jsp, .wsh, .xml and .ppt.

More details about [email protected]

There are several of subject, message and attachment used to send the infection. However, the attachment will always be a “.pif” extension. The subjects in the email usually consist of “Important, Document, Hello, Information and Hi. The message body contains the following: Important details, Important notice, Important document, Important bill, Important data, Important, Important textfile, Important informations. These emails contain attachment named as, Details.zip, Notice.zip, Important.zip, Bill.zip, Data.zip, Part-2.zip, Textfile.zip and Informations.zip. Like many other worms, it will duplicate itself on windows directory folders as “Jammer2nd.exe” and will consequently create a registry key in order for it to run every time windows start. The files usually come in formats of “pk_zip_alg.log, pk_zip1.log, pk_zip2.log and pk_zip8.log which are all zipped. The worm also has the ability to terminate on certain sites such as “www.nibis.de, www.medinfo.ufl.edu and “www.educa.ch.” This worm also displays a fake error box saying, “Out of system memory.”

Reports also claim that the program has the ability to independently download files from the Internet. These files may often consist of malicious software that could further endanger the computer. Similar to most malware programs, the [email protected] program is usually installed without the consent and knowledge of the user. It uses weaknesses in the security system to make its way to the user’s computer. Typically, the program’s entry into the system is via file downloading and installation from unreliable sources such as questionable P2P networks, free applications and websites. When the [email protected] program is run, it creates changes in the system that allows a user to use the system itself for malicious purposes.