Worm:W32/NetSky.M

Classification

Malware

Email-Worm

W32

NetSky.M, W32/Netsky.M, I-Worm.Netsky.m

Summary

The Netsky.M variant discovered on March 11th 2004. It drops itself as AVprotect9x.exe to Windows directory.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.

It will create the following key to point to itself:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"9xHtProtect" = %sysdir%\AVprotect9x.exe

And create a mutex named "Rabbo_Mutex" so it's not run more than once.

Email Spreading

It will spread using any of the following subjects:

Re:
Requested file
Re:
My file
Re:
My document
Re:
My information
Re:
My details
Re:
Information
Re:
Improved
Re:
Requested document
Re:
Document
Re:
Details
Re:
Your document
Re:
Your details
Re:
Approved

With message bodies from the list:

Details for %s.
Document %s.
I have received your document. The improved document %s is attached.
I have attached your document %s.
Your document %s is attached to this mail.
Authentification for %s required.
Requested file %s.
See the file %s.
Please read the important message msg_%s.
Please confirm the document %s.
%s is attached.
Your file %s is attached.
Please read the document %s.
Your document %s is attached.
Please read the attached file %s.
Please see the attached file %s for details.

Where '%s' will be substituted by a text string.

And with attachment names from:

improved_%s
message_%s
detailed_%s
your_document_%s
word_doc_%s
doc_%s
articel_%s
picture_%s
file_%s
your_file_%s
details_%s
document_%s

Where '%s' will be substituted by a text string.