When the worm is launched, it copies itself as sysmonxp.exe to Windows Directory and registers itself as sysmonxp in Run key in Windows Registry. Worm creates firewallloger.txt file and zipo0.txt, zipo1.txt, zipo2.txt, zipo3.txt, zippedbase64.tmp and base64.tmp help files in same directory. Then it launches notepad.exe too.
Worm spreads by sending itself to e-mail addresses that are taken from files with xml, wsh, jsp, msg, oft, ***, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, php, txt, eml, html, htm and pl extension.
Message format is as following:
Sender address is faked.
Message subject and body are variable.
Message attachment name is random and could be zip archive or with executable extension.
At the time of writing, Sophos has received just one report of this worm from the wild.
W32/Netsky-R is a mass mailing worm. A detailed description will be published here shortly.