I-Worm.Netsky.d
[ 03/01/2004 14:27, GMT +03:00, Moscow ]
Danger : severe risk
Kaspersky Labs has detected I.Worm.Netsky.d, the fourth version of the
mail-worm Moodown. The worm spreads via the Internet as a file attached to
infected emails.

The worm is a Windows PE EXE file of approximately 17KB. It is written in
Microsoft Visual C++, and packed using Petite. The size of the unpacked
file is approximately 27KB.


Contents of infected messages
Message header, chosen at random from the list below
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website
Message body, chosen at random from the list below:
Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file
Please read the attached file.
Your file is attached.
Attachment name, chosen at random from the list below:
your_document.pif
document.pif
message_part2.pif
document_full.pif
message_details.pif
your_file.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif
The worm copies itself to %WinDir% under the name "winlogon.exe".
It adds the following key to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
 "ICQ Net" = "%windir%\winlogon.exe"
A detailed description of I-Worm.Netsky.d is now available in the Virus
Encylopaedia.
An urgent update to Kaspersky Labs anti-virus databases has already been
issued.

Kaspersky Anti-Virus Database Updates
I-Worm.Netsky.d