By Robert Vamosi
(March 1, 2004)
The fourth variation of the Netsky worm is the most successful yet. Netsky.d (w32.netsky.d@mm) uses randomized e-mail messages to spread copies of itself via a PIF file attachment. Netsky.d does not open any backdoor Internet access to the infected computer but will execute random sounds on infected computers if the date is March 2, 2004, between the local time of 6 a.m. and 9 a.m. It will also attempt to remove copies of the MyDoom.a and MyDoom.b worms if the machine was previously infected. Netsky.d affects only Windows users; Linux, Mac OS, and Unix users are not affected. Because this worm spreads via e-mail and could congest e-mail servers with excess traffic, Netsky.d rates a 6 on the CNET/ZDNet Virus Meter.
How it works
Netsky.d arrives with a spoofed e-mail return address and a random subject line. The body text consists of a short sentence randomly chosen from a long list. The attached file uses a random selection of words with a .pif extension.
When the worm is active, Netsky.d copies itself to the Windows subdirectory under the name WinLogon.exe and is 17,424 bytes in size.
The worm updates the system Registry by adding:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth
Netsky.d searches the infected hard drive for usable e-mail addresses. The worm then creates ZIP file copies of itself.
Update your antivirus software with the latest signature files.
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec, and Trend Micro.