Netsky.X

A new variant of Netsky launches a Denial of Service (DoS) attack against certain websites and opens a backdoor on infected users' systems. The new variant, Netsky.X, was first discovered on April 20, 2004. (Antivirus vendor Sophos is referring to this new variant as Netsky.Y; other antivirus vendors refer to it as Netsky.X).

Using its own SMTP engine to spread, Netsky.Q harvests email addresses from various files found on the infected user's system, and uses those addresses in both the From and To field of the email.

The Netsky.X author apparently failed to realize there is no valid date of April 31st. The worm is hard-coded to launch its DoS from the 27th of April through the non-existent April 31st, 2004. Where a previous variant, Netsky.Q attempts a DoS attach against www.edonkey2000.com, www.kazaa.com, www.emule-project.net, www.cracks.am, and www.cracks.st, Netsky.X targets www.nibis.de, www.medinfo.ufl.edu, and www.educa.ch.

Netsky.Q copies itself to the Windows directory as FirewallSvr.exe and modifies the Registry in order to launch when Windows is restarted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
FirewallSvr.exe = "C:\Windows\FirewallSvr.exe"

Netsky.Q email characteristics
Subject: (one of the following)

Re: document
Re: belge
Re: dokumenten
Re: dokumentoida
Re: udokumentowac
Re: dokumentet
Re: original
Re: documento
Re: dokument

Message body: (one of the following)

Please read the document
Bitte lesen Sie das Dokument.
Veuillez lire le document.
Legga prego il documento.
Leia por favor o original.
Behage lese dokumentet.
Podobac sie przeczytac ten udokumentowac.
Haluta kuulua dokumentoida.
mutlu etmek okumak belgili tanimlik belge.

Attachment name:
The Netsky.X attachment has a .PIF extension and uses a pre-defined list for naming:

%name%.%country%.pif

where name may be left blank or may be chosen from the following list:

document
dokument
documento
original
dokumentet
udokumentowac
dokumentoida
dokumenten
belge

And the country code is chosen from:

xx, de, fr, it, pt, no, pl, fi, se, tc

For example, the attachment might be named document.de.pif or it may simply be named de.pif

Removing the worm
As with any infection, the best removal can be accomplished using up-to-date antivirus software. To manually remove Netsky.X, use the Windows Task Manager to stop the FirewallSvr process, delete the value:

FirewallSvr.exe = "C:\Windows\FirewallSvr.exe"

from the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

and delete FirewallSvr.exe from the Windows directory.

Also see:

• A fist full of Bagles
• War of the worms
• Netsky.B description
• Netsky.C description
• Netsky.D description
• Netsky.L - an interloper?
• Netsky.P description
• Netsky.Q description