WORM SPREADS IN THE WILD
Virus Name : W32.Netsky.T@mm
Alias : I-Worm.NetSky.t,
W32/Netsky.t@MM , Win32.HLLM.Netsky.based,
W32/Netsky-T, Win32/Netsky.T@mm, WORM_NETSKY.T,
Virus type : Internet
level : Medium
a modified variant of Netsky.S worm.This mass
mailing worm spreads using e-mail addresses
collected from .eml, .txt, .php, .asp, .wab,
.doc, .sht, .oft, .msg, .vbs, .rtf, .uin, .shtm,
.cgi, .dhtm, .adb, .tbb, .dbx, .pl, .htm, .html,
.jsp, .wsh, .xml, .cfg, .mbx, .mdx, .mht, .mmf,
.nch, .ods, .stm, .xls, and .ppt files to
distribute infected messages.
Netsky.T worm arrives as
an e-mail attachment. The infected attachment
name, message body and subject is randomly chosen
by the worm.
infected mail subject will be one of the
Re: My details
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
infected mail message body will be one of the
I have spent much time for the <random
I have sent the <random word>.
I have found the <random word>.
Your file is attached to this mail.
My <random word>.
My <random word> is attached.
I have spent much time for your document.
Your <random word>. ˇYour <random
word> is attached.
The requested <random word> is attached!
The <random word>.
The <random word> is attached.
See the document for details.
Please notice the attached document.
Please notice the attached <random word>.
Please have a look at the attached document.
Please have a look at the <random word>.
Note that I have attached your document.
Here is the document. ˇHere is the <random
For more information see the attached document.
For more details see the attached document.
Approved, here is the document.
Please, <random word>.
Please see the <random word>.
Please read the attached document.
Please read the <random word>.
Please read quickly.
infected mail sample is given below
When the worm file is
executed, it copies itself to Windows folder as
"EasyAV.exe". Netsky.T modifies
registry run section to load automatically on the
next startup. The registry modification is given
By default, %WINDOWS% will be C:\Windows in case
of Windows 95/98/ME/XP, C:\Winnt in case of
Windows NT/2000 ]
Netsky.T worm uses its
own SMTP engine to send infected messages. The
worm also removes registry entries created by
Mydoom.A and Mydoom.B worm. It opens port 6789 to
allow access to the infected system.
This Worm is also known
as I-Worm.NetSky.t, W32/Netsky.t@MM,
Win32/Netsky.T@mm, WORM_NETSKY.T, Win32:Netsky-T,
W32/Netsky.T.worm, Win32/Netsky.T and
How can I protect my
Solo has incorporated
W32.Netsky.T@mm in its signature file to protect
users from this worm attack. Solo antivirus
registered users are already protected from this
Worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
to remove this Worm?
you are already infected with this Worm, you can
remove it from your computer using Solo Antivirus
software. Use the following link
to Download 30 day trial version of
Solo antivirus to remove viruses from your
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
purchase Solo antivirus using the link