NetSky.AA

Threat description

Details

CATEGORYMalware
TYPEEmail-Worm

Summary

NetSky.AA worm was found on April 27th, 2004. This variant is similar to previous Netsky variants, but it does not have a backdoor and a payload.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

The worm's file is a PE executable 17408 bytes long packed with a new or modified file compressor.

Installation to system

Upon execution NetSky.AA copies itself as WINLOGON.SCR file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkynetsRevenge" = "%WinDir%\winlogon.scr"

where %WinDir% represents Windows folder name.

Then the worm shows a fake error messagebox:

If the worm's file extension is SCR, then the messagebox is now shown.

Spreading in e-mails

The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:

.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

Netsky.AA worm ignores e-mail addresses that contain any of the following strings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis

The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:

Re: Document
Re: Approved
Re: Text
Re: Thank you!
Re: Details
Re: Photos
Re: Private
Re: Information
Re: Hi
Re: Hello
Re: Summary
Re: Step by Step
Re: Music
Re: Application
Re: Tel. Numbers
Re: List
Re: Text file
Re: Paint file
Re: Contacts
Re: e-Books
Re: Bill
Re: Error
Re: Missed
Re: Letter
Re: Product
Re: Website
Re: Movie
Re: Presentation
Re: Advice
Re: Fax number
Re: Cheaper
Re: War
Re: Demo
Re: Final
Re: Poster
Re: Patch
Re: Pricelist
Re: Job

The worm uses one of the following text strings as body text for an infected message:

Your document is attached.
Here is the file.
Please view the attached file.
See the attached file for details.
Please take the attached file.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
For furher details see the attached file.

Netsky.AA attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:

Your_Document.pif
Your_Document.pif
Your_Text.pif
Your_Document_Part3.pif
Your_Details.pif
Your_Pics.pif
Your_Private_Document.pif
Your_Information.pif
Your_Document.pif
Your_Digicam_Pictures.pif
Your_Summary.pif
Your_Description.pif
Your_Music.pif
Your_Software.pif
My_Telephone_Numbers.pif
Your_List.pif
Your_Text_File.pif
Your_Paint_File.pif
Your_Contacts.pif
Your_E-Books.pif
Your_Bill.pif
Your_Error.pif
Your_Excel_Document.pif
Your_Letter.pif
Your_Product.pif
Your_Website.pif
Your_Movie.pif
Your_Presentation.pif
My_Advice.pif
My_Fax_Numbers.pif
Your_Product_List.pif
Osam_Bin_Laden_Articel_42.pif
Your_Demo.pif
Your_Final_Document.pif
Your_Poster.pif
Your_Patch.pif
Your_Pricelist.pif
Your_Job.pif

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info