Threat Description

NetSky.AD

Details

Aliases: NetSky.AD, W32/NetSky.AD@mm
Category: Malware
Type: Email-Worm
Platform: W32

Summary



Despite the arrest of the Netsky's worm author, new worm variants keep coming. On May 21st 2004 we received a sample of a new Netsky worm variant. Even more interesting is the fact that the new Netsky drops a Bugbear's worm keylogger to an infected system. This Netsky variant is based on Netsky.D worm variant, that was found on March 1st, 2004.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details



Descriptions of NetSky.D worm variant can be found here: NetSky.D.

Descriptions of Bugbear worm keylogger can be found here: Tanatos

The worm's file is a PE executable file 40448 bytes long packed with a modified UPX file compressor. The Bugbear's keylogger is a PE DLL file 5632 bytes long. The keylogger is dropped to Windows System folder with a random name and it creates 2 more DLL files with random names there. These files are used to store keylogger data in encrypted form.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More