10/26/04 - W32/Netsky.ag@MM spreads via e-mail. It follows the routine below:

This variant of W32/Netsky is very similar to previous variants. It bears the following characteristics:

constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
System Changes

When run, the worm displays a message box "File corrupted replace this!".

The worm installs itself on the victim machine as MsnMsgrs.exe in the Windows directory:

%WinDir%\MsnMsgrs.exe
The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev
It copies itself to Windows directory as the following files:

Agradou.zip
agua!.zip
AIDS!.zip
aqui.zip
banco!.zip
bingos!.zip
botao.zip
brasil!.zip
carros!.zip
circular.zip
contas!!.zip
criancas!.zip
diga.zip
dinheiro!!.zip
docs.zip
email.zip
festa!!.zip
flipe.zip
grana!!.zip
grana.zip
imposto.zip
impressao!!.zip
jogo!.zip
lantrocidade.zip
LINUSTOR.zip
loterias.zip
lulao!.zip
massas!.zip
missao.zip
MsnMsgrs.exe
revista.zip
robos!.zip
sampa!!.zip
sorteado!!.zip
tetas.zip
vaca.zip
vadias!.zip
vips!.zip
Voce.zip
war3!.zip
Zerado.zip

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

.adb
.asp
.dbx
.doc
.eml
.htm
.html
.php
.pl
.php
.rtf
.uin
.vbs
.wab
.oft
.sht
.tbb
.txt

More info on this worm:
http://vil.nai.com/vil/content/v_128905.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_128905.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger