W32/Netsky-Z

Please read the instructions for removing W32/Netsky-Z.

W32/Netsky-Z is an internet worm which spreads by emailing itself to addresses found within files on the local computer.

The emails use a subject and message randomly selected from the following:

Subject lines:

Information
Hi
Document
Important

Message texts:

Important bill!
Important notice!
Important document!
Important data!
Important textfile!
Important details!
Important informations!
Important!
Important notice!

Attached file(Zip archive):

Bill.zip
Notice.zip
Important.zip
Data.zip
Textfile.zip
Details.zip
Part-2.zip
Informations.zip

The worm launched a denial-of-service attack on the following sites between the 2nd and the 5th May 2004:

www.educa.ch
www.medinfo.ufl.edu
www.nibis.de W32/Netsky-Z is an internet worm which spreads by emailing itself to addresses found within files on the local computer.

When first run W32/Netsky-Z copies itself to the Windows folder as Jammer2nd.exe and creates the following registry entry so that Jammer2nd.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Jammer2nd = <WINDOWS>\Jammer2nd.exe

Copies of the worm in Base64 encoded and ZIP form are created in the Windows folder with names matching pk_zip?.log where '?' is a number.

The emails use a subject and message randomly selected from the following:

Subject lines:

Information
Hi
Document
Important

Message texts:

Important bill!
Important notice!
Important document!
Important data!
Important textfile!
Important details!
Important informations!
Important!
Important notice!

Attached file(Zip archive):

Bill.zip
Notice.zip
Important.zip
Data.zip
Textfile.zip
Details.zip
Part-2.zip
Informations.zip

W32/Netsky-Z also opens a listening port on TCP 665.

The worm launched a denial-of-service attack on the following sites between the 2nd and the 5th May 2004:

www.educa.ch
www.medinfo.ufl.edu
www.nibis.de