Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
System Infection
Upon execution the worm copies its dropper to the Windows Directory
as 'PandaAVEngine.exe', which is added to the registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] =
"PandaAVEngine" = "%WinDir%\PandaAVEngine.exe"
where %WinDir% represents Windows directory name.
The main DLL is placed to the same place with the filename
'temp09094283.dll'.
The worm removes several registry values that belong to other worms.
Email Propagation
When collecting addresses NetSky.R recursively searches through all hard
drives and checks the content of files with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
This variant of NetSky sends emails having the following subject:
Re: Document<random numbers>
Body:
Excuse me,
the important document is attached,
Yours sincerely
And attachment name:
Document<random numbers>.pif
Payloads
Between 11th and 17th of April, 2004 NetSky.R infected computers
will perform a Distributed Denial-of-Service attack against the
following sites:
www.keygen.us
www.kazaa.com
www.emule-project.net
www.cracks.am
www.emule.de
Detection for this malware was published on March 31st, 2004
in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-03-31_01
Technical Details:
Gergely Erdelyi & Ero Carrera, March 31st, 2004;
Description Updated:
Alexey Podrezov, April 1st, 2004;
F-Secure Corporation