DELETE all email with the Subject that is one of the following.
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
W32.Netsky.B@mm is a Category 4 mass-mailing worm which arrives with varied email subject,
body, and attachment, and attempts to spread through both email and file sharing folders.
Uses its own SMTP engine to send itself to the email addresses it found above.
The email has the following characteristics:
From: (Spoofed)
Subject: (One of the following)
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
Message: (One of the following)
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
Attachment:
W32.Netsky.B@mm will create a .zip file as the attachment 48.5% of the time, which randomly chooses one of the Attachment Names below. The archive contains an executable copy of the worm, which also randomly chooses one of the Attachment Names below.
The rest of the time, the worm will create an executable file as the attachment, which randomly chooses one of the Attachment Names below.
Attachment Name: (One of the following)
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
Extensions:
If the attachment is an executable file, the worm will create a double extension 53.8% of the time. If the attachment is a .zip file, then the executable within the .zip will have a double extension 33% of the time. The first, variable extension in these cases will be one of the following:
.txt
.rtf
.doc
.htm
All executables will end with one of the following extensions:
.exe
.scr
.com
.pif