Request Services
  Data Systems Services
  About Data Systems
  News & Announcements
 
Virus Alert
Virus Hoaxes
  Quick Links
  Classroom Reservations
  Equipment Reservations
  Software Downloads
 
Data Systems Only! (Password Protected)
  Live Remote Assistance
 


Netsky.D Worm

003/01/04 - Netsky.D

A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

Mail propagation
The virus may be received in an email message as follows:

From: (forged address taken from infected system)
Subject: Taken from the following list:

Re: Hello
Re: Hi
Re: Thanks!
Re: Document
Re: Message
Re: Here
Re: Details
Re: Your details
Re: Approved
Re: Your document
Re: Your text
Re: Excel file
Re: Word file
Re: My details
Re: Your music
Re: Your bill
Re: Your letter
Re: Document
Re: Your website
Re: Your product
Re: Your document
Re: Your software
Re: Your archive
Re: Your picture
Re: Here is the document
Body: Taken from the following list:

Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.

Attachment: filename taken from strings within worm, with a .PIF extension:

yours.pif
your_text.pif
your_bill.pif
mp3music.pif
document.pif
my_details.pif
your_file.pif
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_details.pif
document_word.pif
all_document.pif
application.pif
your_picture.pif
document_excel.pif
document_4351.pif
document_full.pif
message_part2.pif
your_document.pif
message_details.pif

The mailing component harvests address from the local system. Files with the following extensions are targeted:

.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.oft
.php
.pl
.rtf
.sht
.shtm
.msg
.tbb
.txt
.uin
.vbs
.wab
It does not send itself to addresses that contain one of the following strings:

abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
skynet
spam
messagelabs
ymantec
antivi
icrosoft
The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

Removal Instructions

Go to the following website for removal instructions:

http://vil.nai.com/vil/content/v_101064.htm

Download Stinger to Scan for infection:
http://vil.nai.com/vil/stinger

More info on this worm:
http://vil.nai.com/vil/content/v_101064.htm

Back to the top