The worm's file is a PE executable file 27648 bytes long.
NetSky.J worm has a few modifications comparing to previous
variants:
-The worm uses a different mutex: "SkYnEt_AVP"
-The worm has message for Bagle And Mydoom worm authors in the same lines
as previous ones.
-The worm uses the following subject texts:
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www.%s.tripod.com
Hi Mr. %s
Moi %s
He %s
Yours faithfully, %s
Message to %s
Hi Mrs. %s
Is %s.doc yours?
Is %s.xls yours?
Whats up %s
www.paypal.com/%s
Na %s
Best %s
Love %s
Good morning %s
Have a good day %s
Dear %s
To %s , it's me
Welcome %s
Moin %s
Hello %s
Your account %s is expired!
Hey %s
Hi %s
www.%s.freepage.com, your website
Hi %s, your product
Hello %s, your letter
Re: Hi %s, your archive
Re: %s, your text
Re: Hello %s, your bill
Re: Hi %s, your details
Re: Hello %s, my details
Re: Hi %s, your word file
Re: Hello %s, your excel file
Re: Hi %s, details
Re: Hello %s, Approved
Re: Hello %s, your software
Re: Hi %s, your music
Re: Dear %s, Here
Re: Re: Re: Hello %s, your document
Re: Hi %s
Re: Dear %s, Hi
Re: Re: Hi %s, your message
Re: Here %s, your picture
Re: Hi %s, here is the document
Re: Hello %s, your document
Re: %s, thanks!
Re: Re: %s, thanks!
Re: Re: Hi %s, document
Re: Hello %s, document
Where %s will be substituted by some text.
-The worm uses the following message body texts:
My details are in the attached file.
I have corrected your document.
Please do not forget to read the important document.
I have an interesting document about you.
The sample is attached.
Your personal document is attached.
Your file is attached to this mail.
Note that I have attached your file.
The important document is attached.
Please read the document. It's important.
Your document is attached to this mail.
See the attachment for further details.
Your file is attached. Use this password for the file: %i.
Please read the attached file. Password for the file is %i.
Please have a look at the attached file. Password for decrypting is %i.
See the attached file for details. Password is %i.
Here is the file. My password is %i.
Your document is attached. Your password is %i.
-The worm installs itself to system as avpguard.exe file.
For now, F-Secure Anti Virus detects this variant generically ("I-Worm.Netsky.gen").
Exact detection will be shipped later.
Technical Details:
Ero Carrera, March 8th, 2004;
Description Updated:
Alexey Podrezov, March 18th, 2004;
F-Secure Corporation
![](/images/pixel.gif"){kind=tracking}
