Name: I-WORM.Netsky.D
AKA:
Type: Internet Worm
Size: 17424 byte
Platforms: Win 95/98/ME/NT/2000/XP
Description:
This worm comes from an infected email attachment.
The email sender is not the real one, the worm will create an email with the sender taken from a random contact of the infected user.
The message has the following Subjects:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
With the following message bodies:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
The worm could attach one of these infected files:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
If executed, the worm creates a file named WINLOGON.EXE inside WINDOWS' folder
and will edit the registry to execute that file at windows' startup.
Netsky worm will retrieve email addresses from these kind of files: .msg .oft .sht
.dbx .tbb .adb .doc .wab .asp .uin .rtf
.vbs .html .htm .pl .php .txt .eml
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”