04/26/04 - W32/Netsky.z@MM

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

harvests email addresses from the victim machine
contains its own SMTP engine to construct outgoing messages
attaches itself within a ZIP archive to emails
spoofs the From: address
delivers a denial of service payload to certain web sites upon a date condition
Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.oft
.php
.ods
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)
Subject: selected from one of the following:

Document
Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information
Attachment: ZIP archive with one of the following filenames:

Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip
The ZIP archive contains the worm. It is not password protected. The filename of the worm within the ZIP is chosen to match the subject and ZIP name:

Bill.txt (many spaces) .exe
Data.txt (many spaces) .exe
Details.txt (many spaces) .exe
Important.txt (many spaces) .exe
Informations.txt (many spaces) .exe
Notice.txt (many spaces) .exe
Part-2.txt (many spaces) .exe
Textfile.txt (many spaces) .exe

More info on this worm:
http://vil.nai.com/vil/content/v_121076.htm

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_121076.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger