Threat Description

NetSky.O

Details

Category: Malware
Type: Email-Worm
Platform: W32
Aliases: NetSky.O, W32/Netsky.O, I-Worm.Netsky.o

Summary


The Netsky.O variant was discovered on March 16th 2004.The O variant follows the footsteps of the earlier ones. This variant uses four different fake antivirus scanner messages mentioning four different major antivirus companies including F-Secure.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:



Technical Details


System Infection

Upon execution the worm copies itself to the Windows System Directory with the filename 'AVBgle.exe' which is added to the registry as

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] =    "MsInfo" = "%SysDir%\AVBgle.exe"  

The worm removes several registry values that belong to other worms.

Email Propagation

When collecting addresses NetSky.O recursively searches through all hard drives and checks the content of files with the following extensions:

.pl  .htm  .html  .eml  .txt  .php  .asp  .wab  .doc  .vbs  .rtf  .uin  .shtm  .cgi  .dhtm  .adb  .tbb  .dbx  .sht  .oft  .msg  .jsp  .wsh  .xml  

Emails composed from different components randomly chosen from predefined sets.

Possible subjects:

Re: Mail Authentification  Re: Delivery Protection  Re: Secure delivery  Re: Protected Mail Delivery  Re: Protected Mail System  Re: Protected Mail Request  Re: Secure SMTP Message  Re: Extended Mail System  Re: Error  Re: Message Error  Re: Administration  Re: Test  Re: Thank you for delivery  Re: Failure  Re: Bad Request  Re: Delivery Server  Re: Mail Server  Re: SMTP Server  Re: Notify  Re: Status  Re: Extended Mail  Re: Encrypted Mail  

Email bodies are chosen from:

You have received an extended message. Please read the instructions.  New message is available.  Now a new message is available.  You got a new message.  SMTP: Please confirm the attached message.  Bad Gateway: The message has been attached.  Protected message is available.  Waiting for authentification.  Protected message is attached.  Please authenticate the secure message.  Follow the instructions to read the message.  Please read the attachment to get the message.  Encrypted message is available.  Delivered message is attached.  Forwarded message is available.  Secure Mail System Beta Test.  Protected Mail System Test.  Your requested mail has been attached.  For further details see the attachment.  For more details see the attachment.  First part of the secure mail is available.  Waiting for a Response. Please read the attachment.  Partial message is available.  ESMTP [Secure Mail System #334]:  Secure message is attached.  Please confirm my request.  

Attachment names can be one of

message.pif  msg.pif  details.pif  data.pif  document.pif  readme.pif  

All messages end with a fake antivirus scanner message chosen from four different variants:

+++ Attachment: No Virus found  +++ Panda AntiVirus - You are protected  +++ www.pandasoftware.com  +++ Attachment: No Virus found  +++ F-Secure AntiVirus - You are protected  +++ www.f-secure.com  +++ Attachment: No Virus found  +++ Norman AntiVirus - You are protected  +++ www.norman.com  +++ Attachment: No Virus found  +++ Norton AntiVirus - You are protected  +++ www.symantec.de  





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More