When W32.Netsky.Y@mm runs, it does the following:

   1. Copies itself as %Windir%\FirewallSvr.exe.

      Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
   2. Adds the value:

      "FirewallSvr"="%Windir%\FirewallSvr.exe"

      to the registry key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that the worm runs when you start Windows.

   3. Creates a mutex named "____--->>>>U<<<<--____" so that only one instance of the worm executes.

   4. Drops a MIME-encoded copy of itself as %Windir%\f**k_you_bagle.txt.

   5. Listens on TCP port 82 for an attacker to send an executable file. The worm will automatically run the executable when it is downloaded.

   6. If the date of the system clock is between April 28, 2004 and April 30, 2004, the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites:
          * www.nibis.de
          * www.medinfo.ufl.edu
          * www.educa.ch

   7. Scans drives C through Z (excluding CD-ROM drives) and retrieves email addresses from any files with the following extensions:
          * .eml
          * .txt
          * .php
          * .cfg
          * .mbx
          * .mdx
          * .asp
          * .wab
          * .doc
          * .vbs
          * .rtf
          * .uin
          * .shtm
          * .cgi
          * .dhtm
          * .abd
          * .tbb
          * .dbx
          * .pl
          * .htm
          * .html
          * .sht
          * .oft
          * .msg
          * .ods
          * .stm
          * .xls
          * .jsp
          * .wsh
          * .xml
          * .mht
          * .mmf
          * .nch
          * .ppt

   8. Uses its own SMTP engine to send itself to hukanmikloiuo@yahoo.com, and all the email addresses that it finds.

      The email has the following characteristics:

      From: (spoofed)

      Subject: Delivery failure notice (ID-<random number>)

      Message:
            --- Mail Part Delivered ---
            220 Welcome to
            Mail type: multipart/related
            --- text/html RFC 2504
            MX [Mail Exchanger] mx.mt2.kl.<random>
            Exim Status OK.
            <random word> message is available.

            where <random word> may be one of:

            New
            Partial
            External
            Delivered
      Attachment: www.<random domain name>.<random username>.session-<random number>.com



      The worm attempts to use the default DNS server to retrieve the IP address of the email server.

      For example, if the email address is someone@hostname.it, it will attempt to retrieve the IP address of the server, hostname.it. If it fails, it will attempt to use one of the following DNS servers:
          o 212.185.252.73
          o 212.185.253.70
          o 212.185.252.136
          o 194.25.2.129
          o 194.25.2.130
          o 195.20.224.234
          o 217.5.97.137
          o 194.25.2.129
          o 193.193.144.12
          o 212.7.128.162
          o 212.7.128.165
          o 193.193.158.10
          o 194.25.2.131
          o 194.25.2.132
          o 194.25.2.133
          o 194.25.2.134
          o 193.141.40.42
          o 145.253.2.171
          o 193.189.244.205
          o 213.191.74.19
          o 151.189.13.35
          o 195.185.185.195
          o 212.44.160.8
	  To delete the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.

   1. Click Start, and then click Run. (The Run dialog box appears.)
   2. Type regedit

      Then click OK. (The Registry Editor opens.)

   3. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      Run

   4. In the right pane, delete the value:

      "FirewallSvr"="%Windir%\FirewallSvr.exe"

   5. Exit the Registry Editor.