Win32.HLLM.Netsky.22016

Description

Win32.HLLM.Netsky.22016 [Netsky.Z] is a mass-mailing worm which affects computers running under Windows 95/98/Me/NT/2000/XP operating systems. The size of the program module of the worm is 22, 016 bytes.
The worm propagates via e-mail using its own SMTP engine. It opens a backdoor in the victimized computer, which leads to system’s compromising and allows a remote intruder to download and executed an executable file.
From May 2 to 5 the worm will perform DoS-attacks against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch web-sites.

Launching

To secure its automatic execution at every Windows startup the worm adds the value
“Jammer2nd” = "%WINDIR%\Jammer2nd.exe"
to the registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Spreading

In search of e-mail addresses the worm scans all drives of the infected machine. The files with the following extensions are revised:

 
        .adb
        .asp
        .cfg
        .cgi
        .dbx
        .dhtm
        .doc
        .eml
        .htm
        .html
        .jsp
        .msg
        .oft
        .php
        .pl
        .rtf
        .sht
        .shtm
        .tbb
        .txt
        .uin
        .vbs
        .wab
        .wsh
        .xls
        .xml
                 

It determines addresses of SMTP-servers using the domain names gathered in the infected computer using DNS-services. If it fails to determine the address, it uses the addresses kept inside its body:

    145.253.2.171 
    151.189.13.35 
    193.193.158.10 
    193.193.144.12 
    193.189.244.205 
    193.141.40.42 
    194.25.2.129 
    194.25.2.130 
    194.25.2.131 
    194.25.2.132 
    194.25.2.133 
    194.25.2.134 
    195.185.185.195 
    195.20.224.234 
    212.185.252.136 
    212.7.128.162 
    212.7.128.165 
    212.185.253.70 
    212.185.252.73 
    212.44.160.8 
    213.191.74.19 
    217.5.97.137 
         

The mail message infected with the worm may look as follows.

The sender’s name and address are substituted by the worm using addresses retrieved from the local machine.

The subject of the message is chosen from the following list:

     
     Document 
     Hello 
     Hi 
     Important 
     Important bill! 
     Important data 
     Important details! 
     Important document! 
     Important informations! 
     Important notice! 
     Important textfile! 
     Important! 
     Information                
     

Attachment:

     Bill.zip 
     Data.zip 
     Details.zip 
     Important.zip 
     Informations.zip 
     Notice.zip 
     Part-2.zip 
     Textfile.zip
                

Inside the archive resides the file with the same name. For example, if the arrived archived file is called Data, the file inside the archive will be called Data too, but this file will have a double extension the first of which is.txt and the second is .exe, with numerous blank spaces between them. For instance, Data. txt (multiple spaces) .exe.

Action

Being activated the worm creates a mutex called " (S)(k)(y)(N)(e)(t) " to avoid multiple instances of itself run at a time. It drops its copy named Jammer2nd.exe to the Windows folder (in Windows 9x/ME/XP it’s C:\Windows, in Windows NT/2000 it’s C:\WINNT ).

In the same folder the worm creates several more files:

• PK_ZIP*.LOG – MIME-encoded copy of the worm. * corresponds to a digit from 1 to 8
• PK_ZIP_ALG.LOG – a WinZip-formatted copy of the worm

When in the system, the worm listens on port 665. It opens a backdoor which allows a remote attacker to download and run an executable files.

From May 2 to 5 the worm will perform DoS-attacks against the following web-sites:

www.nibis.de
www.medinfo.ufl.edu
www.educa.ch