Summary

Despite the arrest of the Netsky's worm author, new worm variants keep coming. On May 21st 2004 we received a sample of a new Netsky worm variant. Even more interesting is the fact that the new Netsky drops a Bugbear's worm keylogger to an infected system. This Netsky variant is based on Netsky.D worm variant, that was found on March 1st, 2004.

Additional Details

Descriptions of NetSky.D worm variant can be found here:

http://www.f-secure.com/v-descs/netsky_d.shtml

Descriptions of Bugbear worm keylogger can be found here:

http://www.f-secure.com/v-descs/tanatos.shtml

The worm's file is a PE executable file 40448 bytes long packed with a modified UPX file compressor. The Bugbear's keylogger is a PE DLL file 5632 bytes long. The keylogger is dropped to Windows System folder with a random name and it creates 2 more DLL files with random names there. These files are used to store keylogger data in encrypted form.

Detection

Detection for NetSky.AD worm is available in the following FSAV updates:

[FSAV_Database_Version]
Version=2004-05-21_05

Technical Details: Alexey Podrezov, May 21st, 2004;