Threat description




NetSky.AA worm was found on April 27th, 2004. This variant is similar to previous Netsky variants, but it does not have a backdoor and a payload.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Technical Details

The worm's file is a PE executable 17408 bytes long packed with a new or modified file compressor.

Installation to system

Upon execution NetSky.AA copies itself as WINLOGON.SCR file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]  "SkynetsRevenge" = "%WinDir%\winlogon.scr"  

where %WinDir% represents Windows folder name.

Then the worm shows a fake error messagebox:

If the worm's file extension is SCR, then the messagebox is now shown.

Spreading in e-mails

The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:

.eml  .txt  .php  .cfg  .mbx  .mdx  .asp  .wab  .doc  .vbs  .rtf  .uin  .shtm  .cgi  .dhtm  .adb  .tbb  .dbx  .pl  .htm  .html  .sht  .oft  .msg  .ods  .stm  .xls  .jsp  .wsh  .xml  .mht  .mmf  .nch  .ppt  

Netsky.AA worm ignores e-mail addresses that contain any of the following strings:

icrosoft  antivi  ymantec  spam  avp  f-secur  itdefender  orman  cafee  aspersky  f-pro  orton  fbi  abuse  messagelabs  skynet  andasoftwa  freeav  sophos  antivir  iruslis  

The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:

Re: Document  Re: Approved  Re: Text  Re: Thank you!  Re: Details  Re: Photos  Re: Private  Re: Information  Re: Hi  Re: Hello  Re: Summary  Re: Step by Step  Re: Music  Re: Application  Re: Tel. Numbers  Re: List  Re: Text file  Re: Paint file  Re: Contacts  Re: e-Books  Re: Bill  Re: Error  Re: Missed  Re: Letter  Re: Product  Re: Website  Re: Movie  Re: Presentation  Re: Advice  Re: Fax number  Re: Cheaper  Re: War  Re: Demo  Re: Final  Re: Poster  Re: Patch  Re: Pricelist  Re: Job  

The worm uses one of the following text strings as body text for an infected message:

Your document is attached.  Here is the file.  Please view the attached file.  See the attached file for details.  Please take the attached file.  Please have a look at the attached file.  Please read the attached file.  Your file is attached.  For furher details see the attached file.  

Netsky.AA attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:

Your_Document.pif  Your_Document.pif  Your_Text.pif  Your_Document_Part3.pif  Your_Details.pif  Your_Pics.pif  Your_Private_Document.pif  Your_Information.pif  Your_Document.pif  Your_Digicam_Pictures.pif  Your_Summary.pif  Your_Description.pif  Your_Music.pif  Your_Software.pif  My_Telephone_Numbers.pif  Your_List.pif  Your_Text_File.pif  Your_Paint_File.pif  Your_Contacts.pif  Your_E-Books.pif  Your_Bill.pif  Your_Error.pif  Your_Excel_Document.pif  Your_Letter.pif  Your_Product.pif  Your_Website.pif  Your_Movie.pif  Your_Presentation.pif  My_Advice.pif  My_Fax_Numbers.pif  Your_Product_List.pif  Osam_Bin_Laden_Articel_42.pif  Your_Demo.pif  Your_Final_Document.pif  Your_Poster.pif  Your_Patch.pif  Your_Pricelist.pif  Your_Job.pif  

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info