NetSky.F worm variant was found on 3rd of March 2004. This variant spreads itself in emails as an executable attachment.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The following text string is present in the worm's body:
Skynet AntiVirus - Bagle - you are a looser!!!!
This indicates an on-going competition/war among virus writers of the currently widespread malware: Bagle and NetSky. This NetSky worm variant tries to remove Bagle worm infection if it finds it on an infected computer.
Descriptions of all previous NetSky variants can be found here:
The worm's file is a PE executable file 18432 bytes long, packed with PE-Pack file compressor. The unpacked file's size is over 28 kilobytes.
On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/v-pics/netsky_d.wav
NetSky.F worm doesn't copy its files to shared folders.
When run, the worm installs itself to system. It copies its file to Windows folder as SVCHOST.EXE and creates a startup key for this file in System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Zone Labs Client Ex" = "%windir%\svchost.exe -antivirus service"
where %windir% represents Windows directory
The worm creates a mutex named "LK[SkyNet.cz]SystemsMutex" to avoid running more than one instance of itself.
NetSky.F worm has its own SMTP engine that it uses to send emails with infected attachments to all found email addresses. The worm uses different subjects, message body texts and attachment names in its emails.
The worm scans all available drives except CD-ROM drives for emails. It searches for email addresses in files with the following extensions:
.dhtm .cgi .shtm .msg .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .php .txt .eml
The subject for infected messages is selected from the following list:
Re: Your website Re: Your product Re: Your letter Re: Your archive Re: Your text Re: Your bill Re: Your details Re: My details Re: Word file Re: Excel file Re: Details Re: Approved Re: Your software Re: Your music Re: Here Re: Re: Re: Your document Re: Hello Re: Hi Re: Re: Message Re: Your picture Re: Here is the document Re: Your document Re: Thanks! Re: Re: Thanks! Re: Re: Document Re: Document
The message body text for infected messages is selected from the following list:
Your file is attached. Please read the attached file. Please have a look at the attached file. See the attached file for details. Here is the file. Your document is attached.
The attachment name for infected messages is selected from the following list:
your_website.pif your_product.pif your_letter.pif your_archive.pif your_text.pif your_bill.pif your_details.pif document_word.pif document_excel.pif my_details.pif all_document.pif application.pif mp3music.pif yours.pif document_4351.pif your_file.pif message_details.pif your_picture.pif document_full.pif message_part2.pif document.pif your_document.pif
The worm avoids sending emails to email addresses that contain any of the following substrings:
icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abuse messagelabs skynet andasoftwa freeav sophos antivir iruslis
The NetSky.F worm variant of the worm deletes the following Registry keys:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
system. [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
Taskmon
system.
msgsvr32
DELETE ME
service
Sentry
Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
KasperskyAv
Explorer
OLE
Windows Services Host
d3dupdate.exe
au.exe
sysmon.exe
rate.exe
gouday.exe
NetSky.F worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer. The last 5 keys listed above belong to earlier Bagle variants.