Skip to main content

Worm:W32/NetSky.L

Classification

Category:Malware
Type:Email-Worm
Platform:W32
Aliases:

NetSky.L, W32/Netsky.L, I-Worm.Netsky.l

Summary

Another Netsky variant discovered on March 10th 2004. It drops itself as AVprotect.exe to Windows directory.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This new variant is a stripped down version, just containing a minimum set of features and with no comments on the ongoing virus war.

It will create the following key to point to itself:

 [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HtProtect" = %sysdir%\AVprotect.exe

And create a mutex named "Rabbo" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

 Re: Important Re: Your document Re: Your details Re: Approved

With message bodies from the list:

 Your file is attached. Please read the document. Your document is attached. Please read the attached file. Please see the attached file for details.

And with attachment names from:

 your_file_%s.pif details_%s.pif document_%s.pif

Where '%s' will be substituted by a text string.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.