|ALIAS:||W32/NetSky.H@mm, I-Worm.NetSky.h, W32.NetSky.H@mm|
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Descriptions of all previous NetSky worm variants can be found here:
The worm's file is a PE executable file 22528 bytes long, packed with PE-Pack file compressor. The unpacked file's size is over 28 kilobytes.
On March 8th, 2004 the worm constantly beeps with PC speaker from 11:00 to 11:59. Below is the link to the WAV file with the sound that the worm makes: http://www.f-secure.com/virus-info/v-pics/netsky_d.wav
NetSky.H worm doesn't copy its files to shared folders.
Installation to system
When run, the worm installs itself to system. It copies its file to Windows folder as MAJA.EXE and creates a startup key for this file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Antivirus" = "%windir%\maja.exe -antivirus service"
where %windir% represents Windows directory
The worm creates a mutex named "MI[SkyNet.cz]SystemsMutex" to avoid running more than one instance of itself.
Spreading in e-mails
NetSky.H worm has its own SMTP engine that it uses to send emails with infected attachments to all found e-mail addresses. The worm uses different subjects, message body texts and attachment names in its e-mails.
The worm scans all available drives except CD-ROM drives for e-mails. It searches for e-mail addresses in files with the following extensions:
.eml .txt .php .pl .htm .html .vbs .rtf .uin .asp .wab .doc .adb .tbb .dbx .sht .oft .msg .shtm .cgi .dhtm
The subject for infected messages is selected from the following list:
Re: Samples Re: Document Re: Approved Re: Here the file Re: Yours Re: Your file Re: Your folder Re: Your encrypted file Re: Hi Re: Hello Re: Appending Re: Index Re: Your data Re: Your application Re: Part 2 Re: Part 3 Re: Secound Part Re: Zipped folder Re: My details Re: Your details Re: Your bill Re: Your PIN Re: Your TAN Re: Your loveletter Re: Your picture Re: Your briefing
The message body text for infected messages is selected from the following list:
Your document is attached. Here is the file. See the attached file for details. Please have a look at the attached file... Please read the attached file. Your file is attached.
The attachment name for infected messages is selected from the following list:
your_smaples.scr your_document.scr document.scr message_part2.scr your_document.scr document_full.scr your_picture.pif message_details.scr your_file.scr your_picture.scr document_4351.scr yours.scr mp3music.scr application.scr all_document.scr my_details.scr document_excel.scr document_word.scr my_details.scr your_details.scr your_bill.scr your_pin_88.scr your_tan_33.scr your_letter.scr your_pic.scr your_briefing.scr
icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abus messagelabs skynet andasoftwa freeav sophos antivir iruslis
Deleting Registry keys and disinfecting Bagle worm
The NetSky.H worm variant of the worm deletes the following Registry keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] KasperskyAv Explorer Taskmon system. msgsvr32 DELETE ME service Sentry Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] KasperskyAv Explorer OLE Windows Services Host d3dupdate.exe au.exe sysmon.exe rate.exe gouday.exe sate.exe ssate.exe srate.exe
NetSky.H worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. At least the last 8 keys listed above belong to earlier Bagle variants.