Threat description




A new variant of Netsky worm - Netsky.D was found on March 1st, 2004 and is spreading fast in the wild. This worm variant lacks many text strings that were present in NetSky.C variant and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

Descriptions of previous NetSky variants can be found here:

The differences between Netsky.D variant and the previous variants of the worm are as follows:

  • The worm's file is packed with Petite file compressor and is 17424 bytes long. The unpacked file's size is about 28 kilobytes.
  • The worm doesn't show an error messagebox when run for the first time.
  • On March 2nd, 2004 the worm constantly beeps with PC speaker from 6:00 to 8:59. Below is the link to the WAV file with the sound that the worm makes:

Here's a screenshot of the worm's file contents with a message from its creators:

Like the previous variant, the NetSky.D variant installs itself as WINLOGON.EXE file to Windows folder and creates a startup key for this file in the Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "ICQ Net" = "%windir%\winlogon.exe -stealth"  

where %windir% represents Windows directory.

The NetSky.D variant of the worm deletes the following Registry keys:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32] [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF] [HKLM\System\CurrentControlSet\Services\WksPatch] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  KasperskyAv  Explorer  Taskmon  system.  msgsvr32  DELETE ME  service  Sentry  Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  KasperskyAv  Explorer  d3dupdate.exe  au.exe  OLE  Windows Services Host [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]  system.  

The worm has the same list of file extensions that it uses to look for e-mail addresses. Files with these extensions are searched on all drives from C: to Z: except CD-ROM drives. Here's the list of file extensions that the worm uses:

.eml  .txt  .php  .pl  .htm  .html  .vbs  .rtf  .uin  .asp  .wab  .doc  .adb  .tbb  .dbx  .sht  .oft  .msg  .shtm  .cgi  .dhtm  

Like its previous variants, this worm variant avoids sending e-mails to addresses that contain the following strings:

icrosoft  antivi  ymantec  spam  avp  f-secur  itdefender  orman  cafee  aspersky  f-pro  orton  fbi  abuse  messagelabs  skynet  

The subjects of infected messages sent by the worm can be one of the following:

Re: Document  Re: Re: Document  Re: Re: Thanks!  Re: Thanks!  Re: Your document  Re: Here is the document  Re: Your picture  Re: Re: Message  Re: Hi  Re: Hello  Re: Re: Re: Your document  Re: Here  Re: Your music  Re: Your software  Re: Approved  Re: Details  Re: Excel file  Re: Word file  Re: My details  Re: Your details  Re: Your bill  Re: Your text  Re: Your archive  Re: Your letter  Re: Your product  Re: Your website  

The infected message body text can be the following:

Your document is attached.  Here is the file.  See the attached file for details.  Please have a look at the attached file.  Please read the attached file.  Your file is attached.  

The infected attachment names are randomly selected from the following list:

your_document.pif  your_document.pif  document.pif  message_part2.pif  your_document.pif  document_full.pif  your_picture.pif  message_details.pif  your_file.pif  your_picture.pif  document_4351.pif  yours.pif  mp3music.pif  application.pif  all_document.pif  my_details.pif  document_excel.pif  document_word.pif  my_details.pif  your_details.pif  your_bill.pif  your_text.pif  your_archive.pif  your_letter.pif  your_product.pif  your_website.pif  

The worm doesn't use any exploits to make its file run automatically on recipients' systems. A recipient has to run the executable attachment to get infected.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info