32.Netsky.V@mm is a mass-mailing worm that sends itself to the email addresses that it gathers from the files on the computer. This variant does not send an attachment with its email messages, but instead sends a link to an infected computer, attempting to download and run the worm's executable.
 
Replication Process
The replication is provided using the mechanism of known vulnerabilities, as shown in the diagram below:
 
 
   1. W32.Netsky.V@mm constructs a message body using the Microsoft Internet Explorer XML Page Object Type Validation vulnerability (described in Microsoft Security Bulletin MS03-040). This vulnerability could allow a malicious object to be trusted, installed, and then executed on a targeted computer.
 
      The email body contains the object that points to the following source:
 
      http /%infected_computer_ip%:5557/index.html
 
      where %infected_computer_ip% is the IP address of an infected computer.
 
   2. The targeted computer will request the index.html page on an infected computer, accessing the HTTP server listening on port 5557.
 
   3. The HTTP server creates an index.html page that exploits the Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets" vulnerability (described in Microsoft Security Bulletin MS99-032).
 
   4. The viral index.html file will launch ftp.exe, which is the default FTP client in Windows.
 
      Ftp.exe will connect to the FTP server listening on port 5556 on an infected computer, and then request the worm executable.
 
   5. The worm executable is sent to the targeted computer and then executed.