W32.Netsky.B mass-mailing worm that is hitting hard accross the web (2/20/2004).
This question was answered on February 19, 2004. Much of the information contained herein may have changed since posting.
W32.Netsky.B is a level 4 mass-mailing worm that is working its way accross the Net The worm uses its own SMTP engine to send itself to email addresses it finds when scanning the hard drives & mapped drives This tricky worm searches drives C tru Z for any folder names that contain the word "Share" or "Sharing" so it may then copy itself to them The email message has the following characteristics: From: (It is spoofed) DO NOT BLAME THE SENDER, AS THEY ARE AN INNOCENT PARTY TO THE WORM! Subject: (One of the following) hi hello read it immediately something for you warning information stolen fake unknown Message: (One of the following) anything ok? what does it mean? ok i'm waiting read the details here is the document read it immediately! my hero here is that true? is that your name? is that your account? i wait for a reply! is that from you? you are a bad writer I have your password! something about you! kill the writer of this document! i hope it is not true! your name is wrong i found this document about you yes, really? that is bad here it is see you greetings stuff about you? something is going wrong! information about you about me from the chatter here, the serials here, the introduction here, the cheats that's funny do you? reply take it easy why? thats wrong misc you earn money you feel the same you try to steal you are bad something is going wrong something is fool Attachment: W32.Netsky.B@mm will create a .zip file as the attachment 51.5% of the time, which randomly chooses one of the Attachment Names below The archive contains an executable copy of the worm, which also randomly chooses one of the Attachment Names below The rest of the time the worm will use a copy of itself as the attachment, and randomly choose one of the Attachment Names below Attachment Name: (One of the following) document msg doc talk message creditcard details attachment me stuff posting textfile concert information note bill swimmingpool product topseller ps shower aboutyou nomoney found story mails website friend jokes location final release dinner ranking object mail2 part2 disco party misc Extensions: If the attachment is an executable file, the worm will create a double extension 53.8% of the time If the attachment is a .zip file, then the executable within the .zip will have a double extension 33% of the time The first, variable extension in these cases will be one of the following: .txt .rtf .doc .htm All executables will end with one of the following extensions: .exe .scr .com .pif This worm is designed to attack Windows 2k, 95, 98, Me, and XP but does not affect Linux, Macintosh, UNIX, and Windows 3.x based systems Get complete instructions on protection and removal from Symantec at: http://www.symantec.com/security_response/writeup.jsp?docid=2004-021812-2454-99
Note: W32.Netsky.B@mm may spread through file-sharing networks, Instant Messaging clients, or Windows shared folders.
About the author
Posted by Michal of Data Doctors on February 19, 2004