Summary

The Netsky.O variant was discovered on March 16th 2004.

The O variant follows the footsteps of the earlier ones. This variant uses four different fake antivirus scanner messages mentioning four different major antivirus companies including F-Secure.

Disinfection

F-Secure provides the special disinfection utility to eliminate Netsky.O worm infection. You can download this utility from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

System administrators who are using F-Secure Policy Manager, can distribute the tool as a JAR package automatically to all workstations.

System administrators can download the JAR version from:

http://www.europe.f-secure.com/tools/f-netsky.jar

ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar

Additional Details

System Infection

Upon execution the worm copies itself to the Windows System Directory with the filename 'AVBgle.exe' which is added to the registry as

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] =
   "MsInfo" = "%SysDir%\AVBgle.exe"

The worm removes several registry values that belong to other worms.

Email Propagation

When collecting addresses NetSky.O recursively searches through all hard drives and checks the content of files with the following extensions:

 .pl
 .htm
 .html
 .eml
 .txt
 .php
 .asp
 .wab
 .doc
 .vbs
 .rtf
 .uin
 .shtm
 .cgi
 .dhtm
 .adb
 .tbb
 .dbx
 .sht
 .oft
 .msg
 .jsp
 .wsh
 .xml

Emails composed from different components randomly chosen from predefined sets.

Possible subjects:

 Re: Mail Authentification
 Re: Delivery Protection
 Re: Secure delivery
 Re: Protected Mail Delivery
 Re: Protected Mail System
 Re: Protected Mail Request
 Re: Secure SMTP Message
 Re: Extended Mail System
 Re: Error
 Re: Message Error
 Re: Administration
 Re: Test
 Re: Thank you for delivery
 Re: Failure
 Re: Bad Request
 Re: Delivery Server
 Re: Mail Server
 Re: SMTP Server
 Re: Notify
 Re: Status
 Re: Extended Mail
 Re: Encrypted Mail

Email bodies are chosen from:

 You have received an extended message. Please read the instructions.
 New message is available.
 Now a new message is available.
 You got a new message.
 SMTP: Please confirm the attached message.
 Bad Gateway: The message has been attached.
 Protected message is available.
 Waiting for authentification.
 Protected message is attached.
 Please authenticate the secure message.
 Follow the instructions to read the message.
 Please read the attachment to get the message.
 Encrypted message is available.
 Delivered message is attached.
 Forwarded message is available.
 Secure Mail System Beta Test.
 Protected Mail System Test.
 Your requested mail has been attached.
 For further details see the attachment.
 For more details see the attachment.
 First part of the secure mail is available.
 Waiting for a Response. Please read the attachment.
 Partial message is available.
 ESMTP [Secure Mail System #334]:  Secure message is attached.
 Please confirm my request.

Attachment names can be one of

 message.pif
 msg.pif
 details.pif
 data.pif
 document.pif
 readme.pif

All messages end with a fake antivirus scanner message chosen from four different variants:

 +++ Attachment: No Virus found
 +++ Panda AntiVirus - You are protected
 +++ www.pandasoftware.com

 +++ Attachment: No Virus found
 +++ F-Secure AntiVirus - You are protected
 +++ www.f-secure.com

 +++ Attachment: No Virus found
 +++ Norman AntiVirus - You are protected
 +++ www.norman.com

 +++ Attachment: No Virus found
 +++ Norton AntiVirus - You are protected
 +++ www.symantec.de

Detection

Detection for this malware was published on March 17th, 2004 in the following F-Secure Anti-Virus updates:

[FSAV_Database_Version]
Version=2004-03-17_01



Technical Details: Gergely Erdelyi, March 17th, 2004;

Description Updated: Alexey Podrezov, March 18th, 2004;