W32/Netsky-D is a worm that spreads via email. When emailing itself the
worm can spoof the sender's email address.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject lines:
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached file:
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
W32/Netsky-D searches all mapped drives for files with the following
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB,
DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML
W32/Netsky-D is programmed to not forward itself via email if the
recipient email address contains the following strings:
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
When the worm is run on 2 March 2004 between 06:00 and 08:59 it may cause
the computer to beep sporadically.
