Threat description




The Netsky.M variant discovered on March 11th 2004. It drops itself as AVprotect9x.exe to Windows directory.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.

It will create the following key to point to itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "9xHtProtect" = %sysdir%\AVprotect9x.exe  

And create a mutex named "Rabbo_Mutex" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

Re:  Requested file  Re:  My file  Re:  My document  Re:  My information  Re:  My details  Re:  Information  Re:  Improved  Re:  Requested document  Re:  Document  Re:  Details  Re:  Your document  Re:  Your details  Re:  Approved  

With message bodies from the list:

Details for %s.  Document %s.  I have received your document. The improved document %s is attached.  I have attached your document %s.  Your document %s is attached to this mail.  Authentification for %s required.  Requested file %s.  See the file %s.  Please read the important message msg_%s.  Please confirm the document %s.  %s is attached.  Your file %s is attached.  Please read the document %s.  Your document %s is attached.  Please read the attached file %s.  Please see the attached file %s for details.  

Where '%s' will be substituted by a text string.

And with attachment names from:

improved_%s  message_%s  detailed_%s  your_document_%s  word_doc_%s  doc_%s  articel_%s  picture_%s  file_%s  your_file_%s  details_%s  document_%s  

Where '%s' will be substituted by a text string.

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info