Home > Threat descriptions >

Worm:W32/NetSky.AA

Classification

Category: Malware

Type: Email-Worm

Aliases: NetSky.AA, W32/NetSky.AA@mm, I-Worm.Netsky.ab, Netsky.AA

Summary


NetSky.AA worm was found on April 27th, 2004. This variant is similar to previous Netsky variants, but it does not have a backdoor and a payload.

Removal


Automatic action

Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.

Eliminating a Local Network Outbreak

If the infection is in a local network, please follow the instructions on this webpage:

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


The worm's file is a PE executable 17408 bytes long packed with a new or modified file compressor.

Installation to system

Upon execution NetSky.AA copies itself as WINLOGON.SCR file to Windows folder and adds a startup key for this file into System Registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkynetsRevenge" = "%WinDir%\winlogon.scr"

where %WinDir% represents Windows folder name.

Then the worm shows a fake error messagebox:

If the worm's file extension is SCR, then the messagebox is now shown.

Spreading in emails

The worm scans all hard drives from C: to Z: to harvest email addresses. The worm looks for email addresses in files with the following extensions:

.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

Netsky.AA worm ignores email addresses that contain any of the following strings:

icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis

The worm composes emails with different subject and body texts. Here is the list of subject texts that the worm uses:

Re: Document
Re: Approved
Re: Text
Re: Thank you!
Re: Details
Re: Photos
Re: Private
Re: Information
Re: Hi
Re: Hello
Re: Summary
Re: Step by Step
Re: Music
Re: Application
Re: Tel. Numbers
Re: List
Re: Text file
Re: Paint file
Re: Contacts
Re: e-Books
Re: Bill
Re: Error
Re: Missed
Re: Letter
Re: Product
Re: Website
Re: Movie
Re: Presentation
Re: Advice
Re: Fax number
Re: Cheaper
Re: War
Re: Demo
Re: Final
Re: Poster
Re: Patch
Re: Pricelist
Re: Job

The worm uses one of the following text strings as body text for an infected message:

Your document is attached.
Here is the file.
Please view the attached file.
See the attached file for details.
Please take the attached file.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
For furher details see the attached file.

Netsky.AA attaches its executable file to emails that it sends out. The attachment name is selected from the following variants:

Your_Document.pif
Your_Document.pif
Your_Text.pif
Your_Document_Part3.pif
Your_Details.pif
Your_Pics.pif
Your_Private_Document.pif
Your_Information.pif
Your_Document.pif
Your_Digicam_Pictures.pif
Your_Summary.pif
Your_Description.pif
Your_Music.pif
Your_Software.pif
My_Telephone_Numbers.pif
Your_List.pif
Your_Text_File.pif
Your_Paint_File.pif
Your_Contacts.pif
Your_E-Books.pif
Your_Bill.pif
Your_Error.pif
Your_Excel_Document.pif
Your_Letter.pif
Your_Product.pif
Your_Website.pif
Your_Movie.pif
Your_Presentation.pif
My_Advice.pif
My_Fax_Numbers.pif
Your_Product_List.pif
Osam_Bin_Laden_Articel_42.pif
Your_Demo.pif
Your_Final_Document.pif
Your_Poster.pif
Your_Patch.pif
Your_Pricelist.pif
Your_Job.pif