|Internet Worm Summary
Internet Worm Name Risk Assessment
W32/Netsky.s@MM Corporate User : Medium
Home User : Medium
Internet Worm Information
Discovery Date: 04/05/2004
Length: 18,432 bytes (UPX packed)
Type: Internet Worm
SubType: E-mail worm
Minimum DAT: 4348 (04/06/2004)
Updated DAT: 4354 (04/28/2004)
Minimum Engine: 4.2.40
Description Added: 04/05/2004
Description Updated: 04/07/2004 1:31 PM (PT)
Internet Worm Characteristics
-- Update April 6th, 2004 --
Due to increased prevalence, this threat has had its risk assessment raised to Medium.
If you think that you may be infected with Netsky.s, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.
-- Update April 05, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This variant of W32/Netsky@MM bears similarities to the previous members of this family. The worm bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
Constructed messages bear the following characteristics:
From: this is spoofed (using harvested email addresses)
Subject: various subject lines may be used, for example:
Re: My details
Re: Your information
Re: Your details
Re: Your document
Re: Thanks you!
Body: various message bodies may be constructed using a pool of strings within the worm:
Attachment: The attachment has a .PIF extension. The filename is constructed from one of the following strings, with a random number appended to it:
Denial of Service
If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:
The worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:
The following Registry key is added to hook system startup:
\Run "EasyAV" = %WinDir%\EASYAV.EXE
A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:
Remote Access Component
The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
Existence of the files/Registry keys detailed above
TCP port 6789 open on the victim machine
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
The current engine/DAT files are requried for detection and removal.
Additional Windows ME/XP removal considerations
Stinger has been updated to assist in detecting and repairing this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
Delete the following files from the infected machine:
Edit the registry
Remove the following Registry key which the worm adds to hook system startup:
"EasyAV" = %WinDir%\EASYAV.EXE
Reboot the system into default mode
Detection of the W32/Netsky.s@MM virus is available in the generic Netsky detection module.
ThreatScan signatures that can detect the W32/Netsky.s@MM virus are available from:
Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt ftp.nai.com/pub/security/tsc25/updates/winnt ftp.nai.com/pub/security/tsc25/updates/winnt
Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt
ThreatScan Signature version: 2004-04-06
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
Run the "ThreatScan Template Report"
Look for module number #4066
Name Type Sub Type Differences
no known variants