W32/Netsky.B

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Netsky.B Worm

Information about the W32/Netsky.B worm:

W32/Netsky.B is a mass mailing worm. This worm infects Windows systems and spread through email and shared drives on network.

Infected mail carries a spoofed 'From' address, picked up randomly from the infected system or from any other shared network drive connected to the infected system.

The subject of the infected mail will be any one of the following;

fake
hello
hi
information
read it immediately
something for you
stolen
unknown
warning

The body of the mail will be any one of the following;

about me
anything ok?
do you?
from the chatter
greetings
here
here is the document.
here it is
here, the cheats
here, the introduction
here, the serials
i found this document about you
I have your password!
i hope it is not true!
i wait for a reply!
i'm waiting
information about you
is that from you?
is that true?
is that your account?
is that your name?
kill the writer of this document!
misc
my hero
ok
read it immediately!
read the details.
reply
see you
something about you!
something is fool
something is going wrong
something is going wrong!
stuff about you?
take it easy
that is bad
that's funny
thats wrong
what does it mean?
why?
yes, really?
you are a bad writer
you are bad
you earn money
you feel the same
you try to steal
your name is wrong

The infected email has an attachment with any one of the following names.

aboutyou
attachment
bill
concert
creditcard
details
dinner
disco
doc
final
found
friend
information
jokes
location
mail2
mails
me
message
misc
msg
nomoney
note
object
part2
party
posting
product
ps
ranking
release
shower
story
stuff
swimmingpool
talk
textfile
topseller
website

The file extension of the infected attachment will be single or double extension with a combination of the following extensions .rtf, .txt, .doc, .htm, .exe, .scr, .com, .pif, .zip.

When the infected attachment is executed, the worm copies as services.exe to Windows folder. It creates a mutex called AdmSkynetJKIS003 to check if the worm is already in memory. It also checks for the folders share or sharing, if found the worm copies itself to these folders. This is done to spread itself through shared network.

The worm modifies registry at the following location to run itself at the startup.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system and shared folders;

.adb .asp .dbx .doc .eml .htm .html .msg .oft .php .pl .rtf .sht .tbb .txt .uin .vbs .wab

After this the worm mails itself to these addresses using its own SMTP engine.

This worm first appeared on 18th February 2004.

Other names of W32/Netsky.B worm:

This worm is also known as W32/Netsky.b@MM, WORM_NETSKY.B, Moodown.B, I-Worm.Moodown.b

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.Protector Plus antivirus software can detect and remove W32/Netsky.B worm reliably.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software