Skip to main content

Worm:W32/NetSky.D

Classification

Category:Malware
Type:Email-Worm
Platform:W32
Aliases:

NetSky.D, W32/Netsky.D@mm, Somefool, I-Worm.NetSky.d

Summary

A new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in emails as an executable attachment only.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Descriptions of previous NetSky variants can be found here:

The differences between Netsky.D variant and the previous variants of the worm are as follows:

  • The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.
  • The worm doesn't show an error messagebox when run for the first time.
  • On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav

Here's a screenshot of the worm's file contents with a message from its creators:

Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ICQ Net" = "%windir%\winlogon.exe -stealth"

where %windir% represents Windows directory.

The NetSky.D variant of the worm deletes the following Registry keys:

 [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] KasperskyAv Explorer Taskmon system. msgsvr32 DELETE ME service Sentry Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] KasperskyAv Explorer d3dupdate.exe au.exe OLE Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] system.

The worm has the same list of file extensions that it uses to look for email addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses:

 .eml .txt .php .pl .htm .html .vbs .rtf .uin .asp .wab .doc .adb .tbb .dbx .sht .oft .msg .shtm .cgi .dhtm

Like its previous variants, this worm variant avoids sending emails to addresses that contain the following strings:

 icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abuse messagelabs skynet

The subjects of infected messages sent by the worm can be one of the following:

 Re: Document Re: Re: Document Re: Re: Thanks! Re: Thanks! Re: Your document Re: Here is the document Re: Your picture Re: Re: Message Re: Hi Re: Hello Re: Re: Re: Your document Re: Here Re: Your music Re: Your software Re: Approved Re: Details Re: Excel file Re: Word file Re: My details Re: Your details Re: Your bill Re: Your text Re: Your archive Re: Your letter Re: Your product Re: Your website

The infected message body text can be the following:

 Your document is attached. Here is the file. See the attached file for details. Please have a look at the attached file. Please read the attached file. Your file is attached.

The infected attachment names are randomly selected from the following list:

 your_document.pif your_document.pif document.pif message_part2.pif your_document.pif document_full.pif your_picture.pif message_details.pif your_file.pif your_picture.pif document_4351.pif yours.pif mp3music.pif application.pif all_document.pif my_details.pif document_excel.pif document_word.pif my_details.pif your_details.pif your_bill.pif your_text.pif your_archive.pif your_letter.pif your_product.pif your_website.pif

The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.