Threat Descriptions

Worm:W32/NetSky.M

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

NetSky.M, W32/Netsky.M, I-Worm.Netsky.m

Summary

The Netsky.M variant discovered on March 11th 2004. It drops itself as AVprotect9x.exe to Windows directory.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.

It will create the following key to point to itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9xHtProtect" = %sysdir%\AVprotect9x.exe

And create a mutex named "Rabbo_Mutex" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

Re:
Requested file
Re:
My file
Re:
My document
Re:
My information
Re:
My details
Re:
Information
Re:
Improved
Re:
Requested document
Re:
Document
Re:
Details
Re:
Your document
Re:
Your details
Re:
Approved

With message bodies from the list:

Details for %s.
Document %s.
I have received your document. The improved document %s is attached.
I have attached your document %s.
Your document %s is attached to this mail.
Authentification for %s required.
Requested file %s.
See the file %s.
Please read the important message msg_%s.
Please confirm the document %s.
%s is attached.
Your file %s is attached.
Please read the document %s.
Your document %s is attached.
Please read the attached file %s.
Please see the attached file %s for details.

Where '%s' will be substituted by a text string.

And with attachment names from:

improved_%s
message_%s
detailed_%s
your_document_%s
word_doc_%s
doc_%s
articel_%s
picture_%s
file_%s
your_file_%s
details_%s
document_%s

Where '%s' will be substituted by a text string.