F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : NetSky.M

[Summary] | [Disinfection] | [Detailed Description] | [Detection]



NAME:NetSky.M
ALIAS:W32/Netsky.M, I-Worm.Netsky.m
SIZE:16896

Summary

The Netsky.M variant discovered on March 11th 2004. It drops itself as AVprotect9x.exe to Windows directory.

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.M worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Back to the Top


Detailed Description

This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.

It will create the following key to point to itself: 

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "9xHtProtect" = %sysdir%\AVprotect9x.exe

And create a mutex named "Rabbo_Mutex" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects: 

 Re: <%s> Requested file
 Re: <%s> My file
 Re: <%s> My document
 Re: <%s> My information
 Re: <%s> My details
 Re: <%s> Information
 Re: <%s> Improved
 Re: <%s> Requested document
 Re: <%s> Document
 Re: <%s> Details
 Re: <%s> Your document
 Re: <%s> Your details
 Re: <%s> Approved

With message bodies from the list: 

 Details for %s.
 Document %s.
 I have received your document. The improved document %s is attached.
 I have attached your document %s.
 Your document %s is attached to this mail.
 Authentification for %s required.
 Requested file %s.
 See the file %s.
 Please read the important message msg_%s.
 Please confirm the document %s.
 %s is attached.
 Your file %s is attached.
 Please read the document %s.
 Your document %s is attached.
 Please read the attached file %s.
 Please see the attached file %s for details.

Where '%s' will be substituted by a text string.

And with attachment names from: 

 improved_%s
 message_%s
 detailed_%s
 your_document_%s
 word_doc_%s
 doc_%s
 articel_%s
 picture_%s
 file_%s
 your_file_%s
 details_%s
 document_%s

Where '%s' will be substituted by a text string.


Back to the Top


Detection

Detection for this malware was published on March 11th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]

Version=2004-03-11_01


Back to the Top


Technical Details: Ero Carrera, March 11th, 2004;

Description Updated: Alexey Podrezov, March 18th, 2004;

F-Secure Corporation