|W32.Netsky.Y@mm is a variant of W32.Netsky.X@mm that scans for the email addresses on all non-CD-ROM drives on an infected computer.
Also Known As: W32/Netsky.y@MM [McAfee], WORM_NETSKY.Y [Trend], Win32.Netsky.Y [Computer Associates], W32/Netsky-X [Sophos]
Copies itself as %Windir%\FirewallSvr.exe.
Adds the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Listens on TCP port 82 for an attacker to send an executable file, and then run it.
If the system date is between April 28, 2004 and April 30, 2004,
the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites: www.nibis.de; www.medinfo.ufl.edu; www.educa.ch
Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
Subject: Delivery failure notice (ID-)
--- Mail Part Delivered ---
220 Welcome to
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.
Exim Status OK.
message is available.
where may be one of:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
Still have a problem? Ask for help at our discussion forum.