GO TO: Summary | Removal | Technical Details
Worm:W32/ NetSky.B (also known as Moodown.B) worm was found on 18th of February 2004. It is a minor variant of NetSky.A worm that appeared 2 days earlier.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
Find the latest advice in our Community Knowledge Base.
See the user guide for your product on the Help Center.
Chat with or call an expert for help.
Submit a file or URL for further analysis.
The worm spreads itself in emails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in P2P (peer-to-peer) and local networks.
When the worm's file is run, it first shows a fake error messagebox:
Then the worm copies itself to Windows directory with SERVICES.EXE name and creates a startup key for this file in System Registry:
where %windir% represents Windows directory. At the same time the worm also attempts to delete the following key values:
After that the worm starts looking for email addresses. It scans files with the following extensions on all available drives (c:-z:) except CD-ROM drives:
If the worm finds a folder with the 'sharing' or 'share' name, it copies itself to that folder with the following names:
When Internet connection is available, the worm starts to spread itself. It creates ZIP archives with its file in Windows directory. The names of these ZIP archives are the same as the names of worm's files inside. The worm can use the following names for its attachments:
The worm can use one or two extensions for its attachments. For the first extension the worm uses the following:
For the second extension the worm uses the following:
The worm spreads itself in emails as a ZIP attachment or as an attachment with one of the above shown names. The subject of an infected email can be one of the following:
The body text of an infected email can be one of the following:
The worm's file is attached to the infected email inside a ZIP archive or as an normal binary file. A recipient has to unpack the worm's attachment from a ZIP archive and to run it or to run an executable attachment to get infected.