Threat Description



Aliases: NetSky.Z, W32/NetSky.Z@mm, I-Worm.Netsky.aa, Netsky.Z
Category: Malware
Type: Email-Worm
Platform: W32


NetSky.Z worm was found on April 21st, 2004. This variant is very close to previous Netsky variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.


Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

The worm's file is a PE executable 22016 bytes long packed with a new or modified file compressor. Some of the worm's text strings are encrypted.

Installation to system

Upon execution NetSky.Z copies itself as Jammer2nd.exe file to Windows folder and adds a startup key for this file into System Registry:

 "Jammer2nd" = "%WinDir%\Jammer2nd.exe"

where %WinDir% represents Windows folder name.

Additionally the worm creates a few files with .LOG extension in Windows folder. These files contain binary and MIME-encoded copies of the worm's executable that will be sent in e-mails.

Spreading in e-mail

Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:


The worm spreads itself in e-mails It sends messages with different subject lines, body text and attachment names. Here's the list of subjects that the worm uses:


The message body is composed from one the following strings:

Important details!
 Important notice!
 Important document!
 Important bill!
 Important data!
 Important textfile!
 Important informations!

The attachment name is selected from the following variants:

The ZIP attachments contain worm's executables with one of the following names:

Informations.txt  <lots of spaces>  .exe
 Textfile.txt  <lots of spaces>  .exe
 Part-2.txt  <lots of spaces>  .exe
 Data.txt  <lots of spaces>  .exe
 Bill.txt  <lots of spaces>  .exe
 Important.txt  <lots of spaces>  .exe
 Notice.txt  <lots of spaces>  .exe
 Details.txt  <lots of spaces>  .exe


The worm has a backdoor that listens on TCP port 665. It allows to download and execute files on an infected computer.


NetSky.Z has a payload. It performs a DoS (Denial of Service) attack on the following websites from 2nd to 5th of May, 2004:


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More