What
is the Netsky.E worm?
Netsky.E is a mass-mailing worm that uses its
own SMTP engine to send itself to the email
addresses it finds when scanning hard drives and
mapped drives. This worm also searches drives C
through Y for folders that have names containing
"Shar," and then copies itself to those
folders.
Also
known as: WORM_NETSKY.E, W32/Netsky.e@MM, W32/Netsky.E.worm,
W32/Netsky-E, Win32.Netsky.E,
I-Worm.Netsky.e
How
Does the Netsky.E Worm Infect My Computer?
When Netsky.E is
executed, it performs the following actions:
- Creates a mutex named "[SkyNet.cz]SystemsMutex."
This mutex allows only one instance of the
worm to execute.
- Copies itself as %Windir%\Winlogon.exe.
- Also does the same actions to registry as
Netsky.C Worm described in "How Does the
Netsky.C Worm Infect My Computer?" from
3-10. Click here
to see details.
- The email has the following characteristics:
From: (Spoofed)
Subject: (One of the following, or
empty)
- Delivery Failed
- Status
- report
- ......
Message: (One of the
following, or empty)
- <Deliver Error>
- <Message Error>
- <Server Error>
- ......
Attachment:
W32.Netsky.E@mm will either use an
executable attachment, or create a .zip
file as the attachment, which contains an
executable copy of itself.
The attachment name will be constructed as
follows: attachment_attachment (for
example, document_msg).
For the remaining time, the worm uses a
copy of itself as the attachment, and
randomly selects one of the Attachment
Names below.
Attachment Name: (One of the
following)
- document
- associal
- msg
- .....
Extensions:
For the executable file, the worm will
either use a single extension or double
extension name. The first extension is one
of the following:
- .txt
- .rtf
- .doc
- .htm
- .jpg
- .gif
The executables will end with one of the
following extensions:
- .exe
- .scr
- .com
- .pif
- .bat
- .cmd
In case of zip files, a .zip will be added
to the end of the file name generated with
the above rule.
- The worm avoids sending to email addresses
that contain any of the following strings:
- icrosoft
- antivi
- ymantec
- spam
- avp
- f-secur
- itdefender
- orman
- cafee
- aspersky
- f-pro
- orton
- fbi
- abuse
- messagelabs
- skynet
- If the local system time is between 6:00
A.M. and 9:00 A.M. on March 2, 2004, the
computer speaker will continuously beep.
How to Remove the Netsky.E Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Netsky.E during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Means of removing Netsky.E worm is similar to
that of Netsky.C, click here
to see details.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Do
you think this website is useful? Help us to keep
the site growing.
Detect and Removal Instruction for Other
Variants:
| 
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)