NetSky.AF spreads itself in emails inside a ZIP archive or as an executable attachment. It also copies itself to shared folders of all available drives. This allows the worm to spread in peer-to-peer and local networks. It is related to NetSky.B.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
NetSky.AF arrives as email attachment. When run, it displays a message box with title "Fail" and message "File Corrupted replace this!!" and OK button. It then copies itself to %WinDir% directory under the name MsnMsgrs.exe and adds RUN key to ensure the worm is started after reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "MsnMsgr" %WinDir%\MsnMsgrs.exe -alev
%WinDir% represents WINDOWS directory.
NetSky.AF then searches local drives for email addresses. Files with following extensions are scanned for email addresses:
.SCS .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .pl .php .txt .eml
If the worm finds folder with the 'sharing' or 'share' in its name it will copy itself there under the following names:
aninha gatinha!.zip.scr barrio.scr cafe!!.zip.scr Canaval2004!.jpg.pif Carnaval em Salvador!!.zip.scr caspa.scr celulares!!.zip.scr clica ai logo meu.scr comoserrico!.zip.scr importante!!!!!.zip.scr minhavida!.zip.exe MulataDandoOcujpg.scr multas.pif paula!.scr puteiros!!.scr receitas de bolo!!.zip.scr rede globo tv!.zip.scr ResidentEvil2.zip.scr rocha.scr traficoemSP!.scr vadias peladas!!.scr vida!!.zip.scr VivaNaBaia!.scr vota!.zip.scr
NetSky.AF also creates ZIP files under %WinDir% with the following names
agua!.zip aqui.zip banco!.zip bingos!.zip carros!.zip circular.zip contas!!.zip criancas!.zip dinheiro!!.zip docs.zip email.zip festa!!.zip flipe.zip grana!!.zip impressao!!.zip jogo!.zip lantrocidade.zip loterias.zip lulao!.zip revista.zip sampa!!.zip sorteado!!.zip tetas.zip vaca.zip vadias!.zip vips!.zip
If internet connection is available, NetSky.AF uses own SMTP engine to send out infected email messages.
The attached files are chosen from the list above. The sender email address is spoofed and will be one of the collected addresses. The subject is one of the following:
0123456789 AninhaPutinha +55operado6992292246 vaca tetas war3! AIDS! grana banco! revista lulao! imposto jogo! loterias vips! missao vadias! email flipe botao sampa!! contas!! zerado :( criancas! brasil! lantrocidade aqui docs festa!! LINUSTOR bingos! agua! :D sorteado!! grana!! dinheiro!! carros! voce :-) ??? circular agradou diga robos! impressao!! massas! pescaria por kilo Sua saude esta bem? morto :)
And the message body will be one of the following
me veja peladinha gostaria disso e voce??? algo a mais falea verdade!!! ganhe muita grana campanhadafome pq nao me liga?? sinto voce!! grana Lembra? amor me liga Hackers do Brasil Medical Labs Exames!!! meutelefone liga ferias nos E.U.A Surto :( Vacina contra o HIV!! sua conta bancaria zerada olha que isso!!! parabens! te amo! Policia SP Sua Conta!! Boleto Pague veja o que tem no zip e me liga receitas de bolo!! acrdito que em voce!!! promocao de viajens de fim de ano tudo sobre voce sabe Proposta de emprego!! estou doente veja!!! me diz o queacha? retorna logo isso!! arquivo zipado PGP??? voce passou :D!!! ve ai logo ta AMA! AmaVoce Abra rapido isso!!!! reza de sao tome!!!! veja detalhes!!! encontro voce! preenche ai ta bom PizzaVeneza!