Summary

Another Netsky variant discovered on March 10th 2004. It drops itself as AVprotect.exe to Windows directory.

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.L worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Additional Details

This new variant is a stripped down version, just containing a minimum set of features and with no comments on the ongoing virus war.

It will create the following key to point to itself:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "HtProtect" = %sysdir%\AVprotect.exe

And create a mutex named "Rabbo" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

 Re: Important
 Re: Your document
 Re: Your details
 Re: Approved

With message bodies from the list:

 Your file is attached.
 Please read the document.
 Your document is attached.
 Please read the attached file.
 Please see the attached file for details.

And with attachment names from:

 your_file_%s.pif
 details_%s.pif
 document_%s.pif

Where '%s' will be substituted by a text string.

Detection

Detection for this malware was published on March 10th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]
Version=2004-03-10_03



Technical Details: Ero Carrera, March 10th, 2004;

Description Updated: Alexey Podrezov, March 18th, 2004;