Threat Descriptions

Worm:W32/NetSky.I

Classification

Category :

Malware

Type :

Email-Worm

Platform :

W32

Aliases :

NetSky.I, W32/NetSky.I@mm, I-Worm.NetSky.i, W32.NetSky.I@mm

Summary

A new variant of Netsky worm - Netsky.I was found on March 7th, 2004. This worm variant sends messages with an attachment name that looks like a hyperlink to INDEX.SCR file.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Descriptions of all previous NetSky worm variants can be found here:

The worm's file is a PE executable file 22016 bytes long, packed with PE-Pack file compressor. The unpacked file's size is over 27 kilobytes.

NetSky.I worm has a few modifications comparing to previous variants:

  • The worm uses a different mutex: "KO[SkyNet.cz]SystemsMutex"
  • The worm has a bit different message for Bagle And Mydoom worm authors
  • On March 5th, 2004 the worm constantly beeps with PC speaker from 11:00 to 11:59. Below is the link to the WAV file with the sound that the worm makes: https://www.f-secure.com/v-pics/netsky_d.wav
  • The worm uses the following subject texts:
    • Mail account deactivated
    • Mail account closed
    • Mail account expired
    The worm uses the following message body texts:
    • Your mail account expired. Please follow the link to reactivate.
    • Your mail account has been closed. Click on the link for further details.
    • Your mail account has been deactivated. To reactivate, follow the link.
    The worm sends itself as an attachment which name looks like a hyperlink:
    • http://www.[recipient's_domain] /[recipients's_user_name] /index.scr
    Where the [recipient's_domain] represents the domain name and suffix of an infected message's recipient and the [recipients's_user_name] represents the user name of a recipient.
  • The sender's name of an infected message is always 'service@[recipient's_domain] ' where [recipient's_domain] represents the domain name and suffix of an infected message's recipient.
  • The worm installs itself to system as FOODING.EXE file.
  • The worm creates the startup key named 'Tiny AV' for its file in System Registry.