Type: Internet Worm
Size: 17424 byte
Platforms: Win 95/98/ME/NT/2000/XP
This worm comes from an infected email attachment.
The email sender is not the real one, the worm will create an email with the sender taken from a random contact of the infected user.
The message has the following Subjects:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Your software
Re: Your music
Re: Re: Re: Your document
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Re: Thanks!
Re: Re: Document
With the following message bodies:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
The worm could attach one of these infected files:
If executed, the worm creates a file named WINLOGON.EXE inside WINDOWS' folder
and will edit the registry to execute that file at windows' startup.
Netsky worm will retrieve email addresses from these kind of files: .msg .oft .sht
.dbx .tbb .adb .doc .wab .asp .uin .rtf
.vbs .html .htm .pl .php .txt .eml
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”