W32/Netsky.J

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Netsky.J Worm

Information about the W32/Netsky.J worm:

W32/Netsky.J is a mass mailing worm. This worm is a variant of W32/Netsky.D. This worm infects Windows systems and spreads through email.

The infected email carries a fake 'From' address, picked up from the infected system.

The subject of the infected email will be any one of the following;

Re: Hi
Re: Here
Re: Hello
Re: Details
Re: Thanks!
Re: Your bill
Re: Message
Re: Word file
Re: Your text
Re: Excel file
Re: Approved
Re: Document
Re: My details
Re: Your letter
Re: Your music
Re: Your details
Re: Your picture
Re: Your archive
Re: Your product
Re: Your website
Re: Your software
Re: Your document
Re: Here is the document

The body of the email will be any one of the following;

Here is the file.
Your file is attached.
Your document is attached.
Please read the attached file.
See the attached file for details.
Please have a look at the attached file.

The infected email has an attachment with any one of the following names;

yours.pif
your_bill.pif
your_file.pif
your_text.pif
document.pif
mp3music.pif
my_details.pif
application.pif
your_letter.pif
your_details.pif
your_picture.pif
your_archive.pif
all_document.pif
your_product.pif
your_website.pif
document_full.pif
your_document.pif
message_part2.pif
document_word.pif
document_4351.pif
document_excel.pif
message_details.pif

Upon execution of the infected attachment, the worm copies itself as WINLOGON.EXE in the Windows folder. It creates a mutex LK[SkyNet.cz]SystemsMutex to check the presence of the worm in system memory.

The worm modifies registry at the following location to run itself at the startup;

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

.pl
.rtf
.oft
.txt
.uin
.tbb
.cgi
.sht
.vbs
.doc
.dbx
.asp
.adb
.php
.htm
.eml
.wab
.msg
.html
.dhtm
.shtm

The worm skips certain email addresses, which contain the following text strings, to evade security software detection:

f-pro
antivi
orton
cafee
abuse
antivir
iruslis
freeav
orman
skynet
f-secur
sophos
icrosoft
ymantec
aspersky
itdefender
andasoftwa
messagelabs

After this, the worm mails itself to these addresses using its own SMTP engine.

The worm may de-activate some variants of W32/Mydoom in the infected system.

This worm first appeared on March 8, 2004.

Other names of W32/Netsky.J worm:

This worm is also known as W32/Netsky-J, W32/Netsky.J.worm, W32/Netsky.J@mm, WORM_NETSKY.J.

Download the FREE Evaluation copy of Protector Plus antivirus software

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

New:
SpamChoke Antispam Software
Download Now!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus Antivirus software