Summary
The Netsky.O variant was discovered on March 16th 2004.The O variant follows the footsteps of the earlier ones. This variant uses four different fake antivirus scanner messages mentioning four different major antivirus companies including F-Secure.
Removal
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
System Infection
Upon execution the worm copies itself to the Windows System Directory with the filename 'AVBgle.exe' which is added to the registry as
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] = "MsInfo" = "%SysDir%\AVBgle.exe"
The worm removes several registry values that belong to other worms.
Email Propagation
When collecting addresses NetSky.O recursively searches through all hard drives and checks the content of files with the following extensions:
.pl .htm .html .eml .txt .php .asp .wab .doc .vbs .rtf .uin .shtm .cgi .dhtm .adb .tbb .dbx .sht .oft .msg .jsp .wsh .xml
Emails composed from different components randomly chosen from predefined sets.
Possible subjects:
Re: Mail Authentification Re: Delivery Protection Re: Secure delivery Re: Protected Mail Delivery Re: Protected Mail System Re: Protected Mail Request Re: Secure SMTP Message Re: Extended Mail System Re: Error Re: Message Error Re: Administration Re: Test Re: Thank you for delivery Re: Failure Re: Bad Request Re: Delivery Server Re: Mail Server Re: SMTP Server Re: Notify Re: Status Re: Extended Mail Re: Encrypted Mail
Email bodies are chosen from:
You have received an extended message. Please read the instructions. New message is available. Now a new message is available. You got a new message. SMTP: Please confirm the attached message. Bad Gateway: The message has been attached. Protected message is available. Waiting for authentification. Protected message is attached. Please authenticate the secure message. Follow the instructions to read the message. Please read the attachment to get the message. Encrypted message is available. Delivered message is attached. Forwarded message is available. Secure Mail System Beta Test. Protected Mail System Test. Your requested mail has been attached. For further details see the attachment. For more details see the attachment. First part of the secure mail is available. Waiting for a Response. Please read the attachment. Partial message is available. ESMTP [Secure Mail System #334]: Secure message is attached. Please confirm my request.
Attachment names can be one of
message.pif msg.pif details.pif data.pif document.pif readme.pif
All messages end with a fake antivirus scanner message chosen from four different variants:
+++ Attachment: No Virus found +++ Panda AntiVirus - You are protected +++ www.pandasoftware.com +++ Attachment: No Virus found +++ F-Secure AntiVirus - You are protected +++ www.f-secure.com +++ Attachment: No Virus found +++ Norman AntiVirus - You are protected +++ www.norman.com +++ Attachment: No Virus found +++ Norton AntiVirus - You are protected +++ www.symantec.de
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.