Threat Description

NetSky.M

Details

Aliases: NetSky.M, W32/Netsky.M, I-Worm.Netsky.m
Category: Malware
Type: Email-Worm
Platform: W32

Summary


The Netsky.M variant discovered on March 11th 2004. It drops itself as AVprotect9x.exe to Windows directory.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.



Technical Details


This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.

It will create the following key to point to itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "9xHtProtect" = %sysdir%\AVprotect9x.exe  

And create a mutex named "Rabbo_Mutex" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

Re:  Requested file  Re:  My file  Re:  My document  Re:  My information  Re:  My details  Re:  Information  Re:  Improved  Re:  Requested document  Re:  Document  Re:  Details  Re:  Your document  Re:  Your details  Re:  Approved  

With message bodies from the list:

Details for %s.  Document %s.  I have received your document. The improved document %s is attached.  I have attached your document %s.  Your document %s is attached to this mail.  Authentification for %s required.  Requested file %s.  See the file %s.  Please read the important message msg_%s.  Please confirm the document %s.  %s is attached.  Your file %s is attached.  Please read the document %s.  Your document %s is attached.  Please read the attached file %s.  Please see the attached file %s for details.  

Where '%s' will be substituted by a text string.

And with attachment names from:

improved_%s  message_%s  detailed_%s  your_document_%s  word_doc_%s  doc_%s  articel_%s  picture_%s  file_%s  your_file_%s  details_%s  document_%s  

Where '%s' will be substituted by a text string.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More