Threat description




NetSky.Z worm was found on April 21st, 2004. This variant is very close to previous Netsky variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The worm's file is a PE executable 22016 bytes long packed with a new or modified file compressor. Some of the worm's text strings are encrypted.

Installation to system

Upon execution NetSky.Z copies itself as Jammer2nd.exe file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "Jammer2nd" = "%WinDir%\Jammer2nd.exe"  

where %WinDir% represents Windows folder name.

Additionally the worm creates a few files with .LOG extension in Windows folder. These files contain binary and MIME-encoded copies of the worm's executable that will be sent in e-mails.

Spreading in e-mail

Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:


The worm spreads itself in e-mails It sends messages with different subject lines, body text and attachment names. Here's the list of subjects that the worm uses:

Important  Document  Hello  Information  Hi  

The message body is composed from one the following strings:

Important details!  Important notice!  Important document!  Important bill!  Important data!  Important!  Important textfile!  Important informations!  

The attachment name is selected from the following variants:  

The ZIP attachments contain worm's executables with one of the following names:

Informations.txt  [lots of spaces]
 .exe  Textfile.txt  [lots of spaces]
 .exe  Part-2.txt  [lots of spaces]
 .exe  Data.txt  [lots of spaces]
 .exe  Bill.txt  [lots of spaces]
 .exe  Important.txt  [lots of spaces]
 .exe  Notice.txt  [lots of spaces]
 .exe  Details.txt  [lots of spaces]

The worm has a backdoor that listens on TCP port 665. It allows to download and execute files on an infected computer.


NetSky.Z has a payload. It performs a DoS (Denial of Service) attack on the following websites from 2nd to 5th of May, 2004:  

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info