Despite the arrest of the Netsky's worm author, new worm variants keep coming. On May 21st 2004 we received a sample of a new Netsky worm variant. Even more interesting is the fact that the new Netsky drops a Bugbear's worm keylogger to an infected system. This Netsky variant is based on Netsky.D worm variant, that was found on March 1st, 2004.
Disinfection & Removal
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Descriptions of NetSky.D worm variant can be found here: NetSky.D.
Descriptions of Bugbear worm keylogger can be found here: Tanatos
The worm's file is a PE executable file 40448 bytes long packed with a modified UPX file compressor. The Bugbear's keylogger is a PE DLL file 5632 bytes long. The keylogger is dropped to Windows System folder with a random name and it creates 2 more DLL files with random names there. These files are used to store keylogger data in encrypted form.