--Update 22nd July, 2004 --
The risk assessment was lowered to Medium due to a decrease in prevalence.
This is a mass-mailing worm with the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- harvests email addresses from the victim machine
- the From: address of messages is spoofed
- attachment can be a password-protected zip file, with the password included in the message body.
- contains a remote access component (notification is sent to hacker)
- copies itself to folders that have the phrase shar in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
- uses various mutex names selected from those W32/Netsky variants have used, in order to prevent those W32/Netsky variants running on infected machines
- terminates processes of security programs and other worms
- deletes registry entries of security programs and other worms
From : (address is spoofed)
Attachment names are chosen from the following list:
The worm will use a different set of lists to choose subject and body text from, depending on whether the attachment is sent as a password-protected ZIP file.
The details for non-ZIP files (.EXE, .SCR,.COM,.ZIP, .CPL) are as follows:
- Re: Msg reply
- Re: Hello
- Re: Yahoo!
- Re: Thank you!
- Re: Thanks :)
- RE: Text message
- Re: Document
- Incoming message
- Re: Incoming Message
- RE: Incoming Msg
- RE: Message Notify
- Fax Message
- Protected message
- RE: Protected message
- Forum notify
- Site changes
- Re: Hi
- Encrypted document
- Read the attach.
- Your file is attached.
- More info is in attach
- See attach.
- Please, have a look at the attached file.
- Your document is attached.
- Please, read the document.
- Attach tells everything.
- Attached file tells everything.
- Check attached file for details.
- Check attached file.
- Pay attention at the attach.
- See the attached file for details.
- Message is in attach
- Here is the file.
Details for password-protected ZIP files are as follows:
- Pass -
- Password -
- For security reasons attached file is password protected. The password is <EMBEDDED image="" />
- For security purposes the attached file is password protected. Password -- <EMBEDDED image="" />
- Note: Use password <EMBEDDED image="" />to open archive.
Attached file is protected with the password for security reasons. Password is <EMBEDDED image="" />
- In order to read the attach you have to use the following password: <EMBEDDED image="" />
- Archive password: <EMBEDDED image="" />
- Password - <EMBEDDED image="" />
Password-protected ZIP files may also contain a second, randomly-named file with one of the following extensions:
These files contain only random garbage-characters.<EMBEDDED image="" />
The virus copies itself into the Windows System directory as sysxp.exe. For example:
It also creates other files in this directory to perform its functions:
The following Registry key is added to hook system startup:
CurrentVersion\Run "key" = "C:\WINNT\SYSTEM32\sysxp.exe"
A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:
The worm opens port 1080 (TCP) on the victim machine and random UDP ports.