Discovered: February 24, 2004
Updated: February 13, 2007 12:18:01 PM
Also Known As: W32/Netsky.c@MM [McAfee], Win32.Netsky.C [Computer Assoc, W32/Netsky-C [Sophos], WORM_NETSKY.C [Trend], I-Worm.Moodown.c [Kaspersky], I-Worm.NetSky.c [Kaspersky], W32/Netsky.C.worm [Panda]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

W32.Netsky.C is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning hard drives and mapped drives. This worm also searches drives C through Y for the folder names containing "Shar" and then copies itself to those folders.

The Subject, Body, and email attachment vary.

  • Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
  • Rapid Release virus definitions, version 2/24/04 rev 32 (60224af or 20040224.032) and greater, detect this threat.

Symantec Security Response has received an additional W32.Netsky.C@mm sample which is ASPacked. Response has seen no customer submissions of this minor variant at this time. Virus definitions of version 2/25/2004 rev 19 (60225s) (20040225.019) or greater are required to detect this variation.

Antivirus Protection Dates

  • Initial Rapid Release version February 25, 2004
  • Latest Rapid Release version February 25, 2004
  • Initial Daily Certified version February 25, 2004
  • Latest Daily Certified version February 25, 2004
  • Initial Weekly Certified release date February 25, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Tony Lee

Discovered: February 24, 2004
Updated: February 13, 2007 12:18:01 PM
Also Known As: W32/Netsky.c@MM [McAfee], Win32.Netsky.C [Computer Assoc, W32/Netsky-C [Sophos], WORM_NETSKY.C [Trend], I-Worm.Moodown.c [Kaspersky], I-Worm.NetSky.c [Kaspersky], W32/Netsky.C.worm [Panda]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

When W32.Netsky.C@mm runs, it does the following:

  1. Creates a mutex named "[]SystemsMutex." This mutex allows only one instance of the worm to execute.

  2. Copies itself as %Windir%\Winlogon.exe.

    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  3. Adds the value:

    "ICQ Net" = "%Windir%\winlogon.exe -stealth"

    to the registry key:


    so that the worm runs when you start Windows.

  4. Deletes the values:
    • Taskmon
    • Explorer
    • Windows Services Host
    • KasperskyAV

      from the registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • Some of these registry key values are typically associated with the worms W32.Mydoom.A@mm and W32.Mydoom.B@mm.
    • The W32.Mimail.T@mm worm may add the registry key value "KasperskyAV."

  5. Deletes the values:
    • System.
    • msgsvr32
    • service
    • Sentry

      from the registry key:


  6. Deletes the values:
    • d3dupdate.exe
    • au.exe
    • OLE

      from the registry key:


  7. Deletes the value:


    from the registry key:


  8. Deletes the registry keys:
    • HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

      Note: The worms W32.Mydoom.A@mm and W32.Mydoom.B@mm add a value to the first key, so that explorer.exe loads their backdoor components.

  9. Retrieves email addresses from the files on the computer whose suffix contains one of the following extensions:
    • .eml
    • .txt
    • .php
    • .pl
    • .htm
    • .html
    • .vbs
    • .rtf
    • .uin
    • .asp
    • .wab
    • .doc
    • .adb
    • .tbb
    • .dbx
    • .sht
    • .oft
    • .msg
    • .shtm
    • .cgi
    • .dhtm

      Note: Due to a bug in the code, the worm will search a file for email addresses if the extension is a sub-string of one of the aforementioned extensions.

      For example, the worm will scan the files with the .txt, .tx, and .t extensions.

  10. Searches drives C through Y for the folder names containing the words "Shar." If the drive is not a CD-ROM, then the worm will copy itself to the matching folders, and all the subfolders below it, as the following:
    • Microsoft WinXP Crack.exe
    • Teen Porn 16.jpg.pif
    • Adobe Premiere 9.exe
    • Adobe Photoshop 9 full.exe
    • Best Matrix Screensaver.scr
    • Porno Screensaver.scr
    • Dark Angels.pif
    • XXX hardcore pic.jpg.exe
    • Microsoft Office 2003 Crack.exe
    • Serials.txt.exe
    • Screensaver.scr
    • Full album.mp3.pif
    • Ahead Nero 7.exe
    • Virii Sourcecode.scr
    • E-Book Archive.rtf.exe
    • Doom 3 Beta.exe
    • How to hack.doc.exe
    • Learn Programming.doc.exe
    • WinXP eBook.doc.exe
    • Win Longhorn Beta.exe
    • Dictionary English - France.doc.exe
    • RFC Basics Full Edition.doc.exe
    • 1000 Sex and more.rtf.exe
    • 3D Studio Max 3dsmax.exe
    • Keygen 4 all appz.exe
    • Windows Sourcecode.doc.exe
    • Norton Antivirus 2004.exe
    • Gimp 1.5 Full with Key.exe
    • Partitionsmagic 9.0.exe
    • Star Office 8.exe
    • Magix Video Deluxe 4.exe
    • Clone DVD 5.exe
    • MS Service Pack 5.exe
    • ACDSee 9.exe
    • Visual Studio Net Crack.exe
    • Cracks & Warez Archive.exe
    • WinAmp 12 full.exe
    • DivX 7.0 final.exe
    • Opera.exe
    • IE58.1 full setup.exe
    • Smashing the stack.rtf.exe
    • Ulead Keygen.exe
    • Lightwave SE Update.exe
    • The Sims 3 crack.exe

      Note: This could allow for copies of W32.Netsky.C@mm to spread through file-sharing networks, Instant Messaging clients, Windows shared folders, or any programs that use shared folders containing "Shar."

  11. Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once. The worm uses the local DNS server (retrieved via an API), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers:

  12. The email has the following characteristics:

    From: (Spoofed)

    Note: This email address could be one of the addresses retrieved by the worm, as indicated in step 9.

    Subject: (67% of the time, it will be taken from the following list. The rest of the time, the Subject may be taken from the list of the Message bodies below. The Subject can also be a blank line.)
    • Delivery Failed
    • Status
    • report
    • question
    • trust me
    • hey
    • Re: excuse me
    • read it immediatelly
    • hi
    • Re: does it?
    • Yep
    • important
    • hello
    • dear
    • Re: unknown
    • fake?
    • warning
    • moin
    • what's up?
    • info
    •  Re: information
    • Here is it
    • stolen
    • private?
    • good morning
    • illegal...
    • error
    • take it
    • re:
    • Re: Re: Re: Re:
    • you?
    • something for you
    • exception
    • Re: hey
    • excuse me
    • Re: hi
    • Re: does it?
    • Re: important
    • Re: hello
    • believe me
    • Question
    • denied!
    • notification
    • Re: <5664ddff?$??º2>
    • lol
    • last chance!
    • I'm back!
    • its me
    • notice!

      Message: (One of the following, but could be blank)
    • <Deliver Error>
    • <Message Error>
    • <Server Error>
    • what means that?
    • help attached
    • <...>
    • ok...
    • <Attachment from Poland>
    • that is interesting...
    • i wait for your comment about it.
    • such as yours?
    • read the details.
    • gonna?
    • here is the document.
    • *lol*
    • read it immediately!
    • i found that about you!
    • your hero in the picture?
    • yours?
    • here is it.
    • illegal st. of you?
    • is that true?
    • account?
    • is that your name?
    • picture?
    • message?
    • is that your account?
    • pwd?
    • I wait for an answer!
    • abuse?
    • is that yours?
    • you are a bad writer
    • I don't know your document!
    • <Mail failed>
    • I have your password!
    • you won the rk!
    • something about you!
    • classroom test of you?
    • kill the writer of this document!
    • old photos about you?
    • i hope thats not true!
    • your name is wrong!
    • does it match?
    • i found this document about you.
    • time to fear?
    • really?
    • do you know this????
    • i know your document!
    • did you sent it to me?
    • this file is bad!
    • why should I?
    • pages?
    • her.
    • another pic, have fun! ... :->
    • test it
    • child porn?
    • greetings
    • xxx ?
    • stuff about you?
    • your document is not good
    • something is going wrong!
    • your photo is poor
    • information about you?
    • the information is wrong!
    • doc about me?
    • kill him on the picture!
    • from the chatter (my photo!)
    • from your lover ;-)
    • love letter?
    • here, the serials
    • are you a teacherin the picture?
    • here, the introduction
    • is that criminal?
    • here, the cheats
    • i like your doc!
    • what do you think about it?
    • that's a funny text.
    • that's not the truth?
    • do you have?
    • instruct me about this!
    • i lost that
    • i am speachless about your document!
    • is that the reality?
    • reply
    • msg
    • your design is not good!
    • important?
    • your TAN number?
    • take it easy!
    • why?
    • you are naked in this document!
    • thats wrong!
    • your icq number?
    • i am desperate
    • modifications?
    • your personal record?
    • yes.
    • misc. and so on. see you!
    • your attachment? verify it.
    • you earn money, see the attachment!
    • is that your attachment?
    • is that your website?
    • you feel the same.
    • meaning of that?
    • possible?
    • you have tried to steal!
    • did you ask me for that?
    • you are bad
    • your job? (I found that!)
    • is that possible?
    • something is going ...
    • something is not ok
    • did you know from this document?
    • wrong calculation! (see the attachment!...
    • never!
    • poor quality!
    • good work!
    • excellent!
    • great!
    • i don't think so.
    • pretty pic about you?
    • docs?
    • schoolfriend?
    • <Warning from the Government>
    • <09580985869gj>
    • <?}
    • i want more...
    • here is the next one!
    • attachi#
    • did you see her already?
    • is that your wife?
    • is that your creditcard?
    • is that your photo?
    • do you think so?
    • do you have the bug also?
    • already?
    • forgotten?
    • drugs? ...
    • does it matter?
    • i have received this.
    • best?
    • the truth?
    • your body?
    • your eyes?
    • your face?
    • File is self-decryting.
    • File is damaged.
    • File is bad.
    • i saw you last week!
    • xxx service
    • your account is expired!
    • you cannot hide yourself! (see photo)
    • copyright?
    • what still?
    • who?
    • how?
    • <bad gateway>
    • only encrypted!
    • personal message!
    • my advice....
    • i've found it about you
    • <<<Failure>>>
    • <Attached Msg>
    • <scanned by norton antivirus>
    • great xxx!
    • man or women?
    • child or adult?
    • here is yours!
    • a crazy doc about you
    • xxx about you?
    • i don't want your xxx pics!
    • <Failed message available>
    • <Automailer>
    • doc?
    • trial?
    • what?
    • ;-)
    • i need you!
    • correct it!
    • see this!
    • it's a secret!
    • this is nothing for kids!
    • it's so similar as yours!
    • is that your car?
    • do not give up!
    • great job!
    • here is the $%%454$
    • you are sexy in this doc!
    • incest?
    • let it!
    • you look like an ape!
    • you look like an rat?
    • be mad?
    • are you cranky?
    • bob the builder
    • did you know that?
    • money?
    • is that your car?
    • is this information about you?
    • is that your privacy?
    • is that your TAN?
    • is that your message?
    • is that your cd?
    • is that your finger?
    • your are naked?
    • is that your porn pic?
    • is that your work?
    • is that your family?
    • is that your beast?
    • is that your account?
    • is that your slip?
    • is that your domain?
    • are you the naked one?
    • are you the naked person!
    • are you the one?
    • does it belong to you?
    • do you have sex in the picture?
    • you have a sexy body in the pic!
    • your lie is going around the world!
    • <Transfer complete>
    • <Antispam complete>
    • lets talk about it!
    • do you know the thief?
    • are you a photographer?
    • you have done a mistake in the document...
    • its private from me
    • do not show this anyone!
    • new patch is available!
    • this is an attachment message!
    • in your mind?
    • Microsoft
    • fast food...
    • Your bill.
    • try this patch!
    • do you have an orgasm in the picture?
    • <Click the attachment to decrypt>
    • <Attachment Signature 34933920>
    • Transaction failed. Show the doc!
    • I 've found your bill!
    • see your name!
    • You are infected. Read the details!
    • here is my advice.
    • here is my photo!
    • here is the <censored>
    • feel free to use it.
    • does it belong to you?
    • Login required! Read the attachment!
    • your document is silly!
    • is the pic a fake?
    • Antispam is turned off. See file!
    • Authentification required. Read the att...
    • solve the problem!
    • <null>
    • do not use my document!
    • do not open the attachment!
    • do not visit the pages on the list I se...
    • explain!
    • tell me more about your document!
    • Your provider will be disabled!
    • Instant patches.

      W32.Netsky.C@mm will create a .zip file as the attachment for 51.5% of the time, randomly selecting one of the Attachment Names below. The archive contains an executable copy of the worm, which also randomly selects the Attachment Names below. There is a 25% chance that the attachment name will be constructed as follows: attachment_attachment (e.g. document_msg).

      For the remaining time, the worm uses a copy of itself as the attachment, and randomly selects one of the Attachment Names below.

      Attachment Name:
      (One of the following)
    • document
    • associal
    • msg
    • yours
    • doc
    • wife
    • talk
    • message
    • response
    • creditcard
    • description
    • details
    • attachment
    • pic
    • me
    • trash
    • card
    • stuff
    • poster
    • posting
    • portmoney
    • textfile
    • moonlight
    • concert
    • sexy
    • information
    • news
    • note
    • number_phone
    • bill
    • mydate
    • swimmingpool
    • class_photos
    • product
    • old_photos
    • topseller
    • ps
    • important
    • shower
    • myaunt
    • aboutyou
    • yours
    • nomoney
    • birth
    • found
    • death
    • story
    • worker
    • mails
    • letter
    • more
    • website
    • regards
    • regid
    • friend
    • unfolds
    • jokes
    • doc_ang
    • your_stuff
    • location
    • 454543403
    • final
    • schock
    • release
    • webcam
    • dinner
    • intimate stuff
    • sexual
    • ranking
    • object
    • secrets
    • mail2
    • attach2
    • part2
    • msg2
    • disco
    • freaky
    • visa
    • party
    • material
    • misc
    • nothing
    • transfer
    • auction
    • warez
    • undefinied
    • violence
    • update
    • masturbation
    • injection
    • naked1
    • naked2
    • tear
    • music
    • paypal
    • id
    • privacy
    • word_doc
    • image
    • incest

      If the attachment is an executable file, the worm will create a double extension for 46.2% of the time. If the attachment is a .zip file, then the executable within the .zip will have a double extension for 67% of the time. The first variable extension in these cases will be one of the following:
    • .txt
    • .rtf
    • .doc
    • .htm

      All the executables will end with one of the following extensions:
    • .exe
    • .scr
    • .com
    • .pif

  13. The worm avoids sending to email addresses which contain any of the following strings:
    • icrosoft
    • antivi
    • ymantec
    • spam
    • avp
    • f-secur
    • itdefender
    • orman
    • cafee
    • aspersky
    • f-pro
    • orton
    • fbi
    • abuse

  14. Creates .zip files in the %Windir% folder, which contain copies of the worm. The names of these files match the above Attachment Names.

  15. If the local system time is between 6:00 AM and 9:00 AM on February 26, 2004, the computer speaker will continuously beep.

Symantec Gateway Security 5400 Series and Symantec Gateway Security v1.0
  • Antivirus component: An update for the Symantec Gateway Security AntiVirus engine to protect against the W32.Netsky.C worm is now available. Symantec Gateway Security users are advised to run LiveUpdate.
  • IDS/IPS component: No update is currently planned for this worm.
  • Full application inspection firewall component: By default, Symantec's full application inspection firewall technology protects against the propagation of the W32.Netsky.C@mm worm by blocking infected systems from directly sending email to the Internet.

Symantec Enterprise Firewall 7.0.x and Symantec VelociRaptor 1.5
By default, Symantec's full application inspection firewall technology protects against the propagation of the W32.Netsky.C@mm worm by blocking infected systems from directly sending email to the Internet.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Tony Lee

Discovered: February 24, 2004
Updated: February 13, 2007 12:18:01 PM
Also Known As: W32/Netsky.c@MM [McAfee], Win32.Netsky.C [Computer Assoc, W32/Netsky-C [Sophos], WORM_NETSKY.C [Trend], I-Worm.Moodown.c [Kaspersky], I-Worm.NetSky.c [Kaspersky], W32/Netsky.C.worm [Panda]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

Removal using the W32.Netsky.C@mm Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.C@mm. This is the easiest way to remove this threat and should be tried first.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP).
  2. Update the virus definitions.
  3. Restart the computer in Safe mode or VGA mode.
  4. Run a full system scan and delete all the files detected as W32.Netsky.C@mm.
  5. Delete the value that was added to the registry.
For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.

For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article, "Antivirus Tools Cannot Clean Infected Files in the _Restore Folder ," Article ID: Q263455.

2. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

3. Restarting the computer in Safe mode or VGA mode

Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode. For instructions, read the document, "How to start the computer in Safe Mode."
  • For Windows NT 4 users, restart the computer in VGA mode.

4. Scanning for and deleting the infected files
  1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with W32.Netsky.C@mm, click Delete.

5. Deleting the value from the registry

WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the key:


  4. In the right pane, delete the value:

    "ICQ NET" = "%Windir%\winlogon.exe -stealth"

  5. Exit the Registry Editor.

Writeup By: Tony Lee