F-Secure provides the special disinfection utility to eliminate
Netsky.AA worm infection. You can download this utility from our
ftp site:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
The worm's file is a PE executable 17408 bytes long packed with a
new or modified file compressor.
Installation to system
Upon execution NetSky.AA copies itself as WINLOGON.SCR file to
Windows folder and adds a startup key for this file into System
Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkynetsRevenge" = "%WinDir%\winlogon.scr"
where %WinDir% represents Windows folder name.
Then the worm shows a fake error messagebox:
If the worm's file extension is SCR, then the messagebox is now
shown.
Spreading in e-mails
The worm scans all hard drives from C: to Z: to harvest e-mail
addresses. The worm looks for e-mail addresses in files with the
following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
Netsky.AA worm ignores e-mail addresses that contain any of the
following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
The worm composes e-mails with different subject and body texts.
Here is the list of subject texts that the worm uses:
Re: Document
Re: Approved
Re: Text
Re: Thank you!
Re: Details
Re: Photos
Re: Private
Re: Information
Re: Hi
Re: Hello
Re: Summary
Re: Step by Step
Re: Music
Re: Application
Re: Tel. Numbers
Re: List
Re: Text file
Re: Paint file
Re: Contacts
Re: e-Books
Re: Bill
Re: Error
Re: Missed
Re: Letter
Re: Product
Re: Website
Re: Movie
Re: Presentation
Re: Advice
Re: Fax number
Re: Cheaper
Re: War
Re: Demo
Re: Final
Re: Poster
Re: Patch
Re: Pricelist
Re: Job
The worm uses one of the following text strings as body text for
an infected message:
Your document is attached.
Here is the file.
Please view the attached file.
See the attached file for details.
Please take the attached file.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
For furher details see the attached file.
Netsky.AA attaches its executable file to e-mails that it sends
out. The attachment name is selected from the following variants:
Your_Document.pif
Your_Document.pif
Your_Text.pif
Your_Document_Part3.pif
Your_Details.pif
Your_Pics.pif
Your_Private_Document.pif
Your_Information.pif
Your_Document.pif
Your_Digicam_Pictures.pif
Your_Summary.pif
Your_Description.pif
Your_Music.pif
Your_Software.pif
My_Telephone_Numbers.pif
Your_List.pif
Your_Text_File.pif
Your_Paint_File.pif
Your_Contacts.pif
Your_E-Books.pif
Your_Bill.pif
Your_Error.pif
Your_Excel_Document.pif
Your_Letter.pif
Your_Product.pif
Your_Website.pif
Your_Movie.pif
Your_Presentation.pif
My_Advice.pif
My_Fax_Numbers.pif
Your_Product_List.pif
Osam_Bin_Laden_Articel_42.pif
Your_Demo.pif
Your_Final_Document.pif
Your_Poster.pif
Your_Patch.pif
Your_Pricelist.pif
Your_Job.pif
Detection of NetSky.AA worm was published on April 27th, 2004 in
the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-04-27_01
Technical Details:
Alexey Podrezov, April 27th, 2004;
Description Updated:
Alexey Podrezov, April 29th, 2004;
F-Secure Corporation
