Showing results for 
Search instead for 
Did you mean: 

W32/Netsky.C spreading in the wild


W32/Netsky.C spreading in the wild

On 25th and 26th February 2004, MessageLabs, the leading provider of managed email security services to businesses, intercepted a number of copies of a new variant of the Netsky worm - W32/Netsky.C-mm. The first intercepted copy originated from the United Kingdom.

Name: W32/Netsky.C-mm
Number of copies intercepted so far: 10,442
Time & Date first Captured: 25th February, 02.51 GMT
Origin of first intercepted copy: UK


W32/Netsky.C-mm spreads via email and mapped drives. It propagates via addresses found on an infected machine and by copying itself to folders on drives C: to Z:. The worm also attempts to deactivate copies of MyDoom.A and MyDoom.B if found on a victim’s machine.

The worm copies itself to directories containing the string ‘shar’ on the local system and on mapped network drives. The worm will then spread via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing.

The mailing component harvests address from the local system. Files with the following extensions are targeted:

· .adb
· .asp
· .cgi
· .dbx
· .dhtm
· .doc
· .eml
· .htm
· .oft
· .php
· .pl
· .rtf
· .sht
· .shtm
· .msg
· .tbb
· .txt
· .uin
· .vbs
· .wab

It does not send itself to addresses that contain one of the following strings:

· abuse
· fbi
· orton
· f-pro
· aspersky
· cafee
· orman
· itdefender
· f-secur
· avp
· spam
· ymantec
· antivi
· icrosoft

Email characteristics

From: Random email address from infected systems.

Subject line: The subject line/body of the email is selected randomly from an extensive list of possible phrases.

Attached file:

The attachment is either a .exe file, or a zip file containing the worm. It may have either a single or double file extension.
The first extension could be one of the following:

· .doc
· .htm
· .rtf
· .text

The last extension will be one of the following:

· .com
· .exe
· .pif
· .scr

Size: 25, 352 bytes

W32/Netsky.C spreading in the wild

Your warning was dated 26th Feb 2004, yet as of 2nd March 2004 Force9 is still letting these through the virus checker Evil

W32/Netsky.C spreading in the wild

Maybe because Ivan's warning was that the virus was "spreading in the wild".

What you seem to be saying is it's now reached the towns and cities. Wink