W32.Netsky.B@mm Last Updated 2/18/04 12:48pM

CIT has been notified of a new variant of the W32.Netsky.a@mm email virus called W32.Netsky.B@mm. This is a mass-mailing worm that also spreads via mapped network drives C through Z searching for folder names containing the word "Share" or "Sharing" used by P2P applications such as KaZaa. The email component searches for email addresses in files with the extentions .msg, .oft, .sht, .dbx, .tbb, .adb,.doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt and .eml files. By using its own SMTP engine the worm sends copies of itself to all found contacts.

In email form, W32.Netsky.B@mm appears as follows:

From:(address is spoofed)

Subject:(one of the following)

• hi
• hello
• read it immediately
• something for you
• warning
• information
• stolen
• fake
• unknown

• anything ok?
• what does it mean?
• ok
• i'm waiting
• read the details
• here is the document
• read it immediately!
• my hero
• here
• is that true?
• is that your name?
• is that your account?
• i wait for a reply!
• is that from you?
• you are a bad writer
• I have your password!
• something about you!
• kill the writer of this document!
• i hope it is not true!
• your name is wrong
• i found this document about you
• yes, really?
• that is bad
• here it is
• see you
• greetings
• stuff about you?
• something is going wrong!
• information about you
• about me
• from the chatter
• here, the serials
• here, the introduction
• here, the cheats
• that's funny
• do you?
• reply
• take it easy
• why?
• thats wrong
• misc
• you earn money
• you feel the same
• you try to steal
• you are bad
• something is going wrong
• something is fool

Attachment:(one of the following) ZIP file with double extension like .doc.pif, .rtf.com, .rtf.scr, .txt.exe (22,016 bytes )

• document
• msg
• doc
• talk
• message
• creditcard
• details
• attachment
• me
• stuff
• posting
• textfile
• concert
• information
• note
• bill
• swimmingpool
• product
• topseller
• ps
• shower
• aboutyou
• nomoney
• found
• story
• mails
• website
• friend
• jokes
• location
• final
• release
• dinner
• ranking
• object
• mail2
• part2
• disco
• party
• misc

NAI released Dat/SuperDat 4325 to detect and remove W32.Netsky.B@mm. The 4325 DAT/SuperDat is now available.

Symantec released 2/18/2004 virus definitions to detect and remove W32.Netsky.B@mm. Definitions are available through the LiveUpdate feature of Symantec Antivirus.

For more information see:

http://vil.nai.com/vil/content/v_101034.htm from NAI.
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.netsky.b@mm.html from Symantec.

This archive is not intended to be comprehensive. For a more complete virus library, please visit NAI's Virus Information Library at http://vil.nai.com.