Discovery Date: 03/05/2004
Length: 22,528 bytes (PE-Pack)
This variant is very similar to W32/Netsky.g@MM .
This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the various other viruses (variants of W32/Mydoom and W32/Bagle).
The virus may be received in an email message as follows:
From: (forged address taken from infected system)
Re: Part 3
Re: Part 2
Re: Your TAN
Re: Your PIN
Re: Your bill
Re: My details
Re: Your data
Re: Appending etc.etc.
The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename MAJA.EXE.
C:\WINNT\maja.exe (22,528 bytes)
Note: A valid file exists in the %Sysdir% directory.
A Registry key is created to load the worm at system start.
"Antivirus" = %WinDir%\maja.exe -antivirus service
Read more: http://vil.nai.com/vil/content/v_101077.htm
W32/Netsky-H is a worm that spreads via email. Further details will be posted shortly.