Threat Description

NetSky.M

Details

Aliases: NetSky.M, W32/Netsky.M, I-Worm.Netsky.m
Category: Malware
Type: Email-Worm
Platform: W32

Summary



The Netsky.M variant discovered on March 11th 2004. It drops itself as AVprotect9x.exe to Windows directory.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.

It will create the following key to point to itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "9xHtProtect" = %sysdir%\AVprotect9x.exe

And create a mutex named "Rabbo_Mutex" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

Re: <%s> Requested file
 Re: <%s> My file
 Re: <%s> My document
 Re: <%s> My information
 Re: <%s> My details
 Re: <%s> Information
 Re: <%s> Improved
 Re: <%s> Requested document
 Re: <%s> Document
 Re: <%s> Details
 Re: <%s> Your document
 Re: <%s> Your details
 Re: <%s> Approved

With message bodies from the list:

Details for %s.
 Document %s.
 I have received your document. The improved document %s is attached.
 I have attached your document %s.
 Your document %s is attached to this mail.
 Authentification for %s required.
 Requested file %s.
 See the file %s.
 Please read the important message msg_%s.
 Please confirm the document %s.
 %s is attached.
 Your file %s is attached.
 Please read the document %s.
 Your document %s is attached.
 Please read the attached file %s.
 Please see the attached file %s for details.

Where '%s' will be substituted by a text string.

And with attachment names from:

improved_%s
 message_%s
 detailed_%s
 your_document_%s
 word_doc_%s
 doc_%s
 articel_%s
 picture_%s
 file_%s
 your_file_%s
 details_%s
 document_%s

Where '%s' will be substituted by a text string.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More