Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Netsky.V@mm


Threat Risk LOW LOW
Destructivity LOW LOW
Payload DoS/Backdoor
Detection files published
Description created 14 Apr 2004 05:22:00
Description updated 14 Apr 2004 05:22:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When Netsky.V is executed it creates a mutex named“_-=oOOSOkOyONOeOtOo=-_" to ensure that only one copy of the worm is running. Next the worm copies itself to the %WINDIR% folder as “KasperskyAVEng.exe" and “skyav.tmp" and then creates the following registry value to launch itself when Windows starts: “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\    CurrentVersion\Run\KasperskyAVEng" = “%WINDIR%\KasperskyAVEng.exe" Netsky will then launch a thread that searches on all fixed drives (excluding CD-ROM drives) for email addresses. Only files with the following extensions are searched: .ppt    .nch    .mmf    .mht    .xml    .wsh    .jsp    .xls    .stm    .ods    .msg    .oft   .sht    .html   .htm    .pl .dbx    .tbb    .adb.dhtm   .cgi   .shtm   .uin    .rtf    .vbs    .doc    .wab    .asp   .mdx.mbx    .cfg    .php    .txt    .eml Netsky will then use its own SMTP engine to send an email to all of the addresses found. The email has the following characteristics: Subject: Mail Delivery Sytem failure Mail delivery failed    Server Status failure   Gateway Status failure Body: The processing of this message can take a few minutes...    Converting message. Please wait...  Please wait while loading failed message... Please wait while converting the message... From: The from address is spoofed so that all mails will appear to come from “" Attachment: Netsky.V does not send any attachments, instead it exploits a known vulnerability in Internet Explorer which enables the virus to be launched by visiting a website. A URL will be appended to the mail which will automatically launch the worm if clicked on. Please visit for further information on the vulnerability.

Payload Details

Netsky.V will open port 5556 as an FTP server and port 5557 as an HTTP server on the infected machine. The worm will also attempt to perform a denial of service attack against the following sites between 22-Apr-2004 and 29-Apr-2004 using HTTP GET requests:




Netsky.V was proactivly detected as a W32/Backdoor by Sandbox.

Last Updated: 12 Nov 2015 11:06:15