The following has been derived from information provided by Sophos, F-Secure, and Symantec.

Virus Characteristics

A new variant of the NetSky worm has been discovered. It is a PE executable file that is 27648 bytes long and contains its own SMTP engine. The worm will arrive with the following characteristics:

From: (spoofed sender address)

Subject: (one of the following)
Your product
Your letter
Re: corrected homework
Re: I've found your document
Re: Your bill
Re: hello again
Re: hi again
Re: part 3
Re: important document part 2
Re: important
Re: Your data
Re: Your application
Re: your music
Re: excel document
Re: Re: Re: word document
Re: Your details
Re: My details
Re: Your requested file
Re: Read it immediately
Re: Approved
Re: Your software
Re: my memberlist
Re: Your document
Re: Your file
Re: Your important document
www.<username>.tripod.com
Hi Mr. <username>
Moi <username>
Yours faithfully, <username>
Message to <username>
Hi Mrs. <username>
Is <username>.doc yours?
Is <username>.xls yours?
Whats up <username>
www.paypal.com/<username>
Best <username>
Love <username>
Good morning <username>
Have a good day <username>
Dear <username>
To <username> , it's me
Welcome <username>
Moin <username>
Hello <username>
Your account <username> is expired!
Hey <username>
www.<username>.freepage.com, your website
Hi <username>, your product
Hello <username>, your letter
Re: Hi <username>, your archive
Re: <username>, your text
Re: Hello <username>, your bill
Re: Hi <username>, your details
Re: Hello <username>, my details
Re: Hi <username>, your word file
Re: Hello <username>, your excel file
Re: Hi <username>, details
Re: Hello <username>, Approved
Re: Hello <username>, your software
Re: Hi <username>, your music
Re: Dear <username>, Here
Re: Re: Re: Hello <username>, your document
Re: Hi <username>
Re: Dear <username>, Hi
Re: Re: Hi <username>, your message
Re: Here <username>, your picture
Re: Hi <username>, here is the document
Re: Hello <username>, your document
Re: <username>, thanks!
Re: Re: <username>, thanks!
Re: Re: Hi <username>, document
Re: Hello <username>, document

Message Body: (one of the following where %i is a random number.)
My details are in the attached file.
I have corrected your document.
Please do not forget to read the important document.
I have an interesting document about you.
The sample is attached.
Your personal document is attached.
Your file is attached to this mail.
Note that I have attached your file.
The important document is attached.
Please read the document. It's important.
Your document is attached to this mail.
See the attachment for further details.
Your file is attached. Use this password for the file: %i.
Please read the attached file. Password for the file is %i.
Please have a look at the attached file. Password for decrypting is %i.
See the attached file for details. Password is %i.
Here is the file. My password is %i.
Your document is attached. Your password is %i.

Attachment: (one of the following where <username> is the recipient's name)
website_<username>.pif
your_product_<username>.pif
letter_<username>.pif
archive<username>.pif
your_text<username>.pif
bill_<username>.pif
your_details<username>.pif
<username>_details.pif
<username>_document_word.pif
<username>_document_excel.pif
<username>_my_details.pif
<username>_all_document.pif
<username>_application.pif
mp3music_<username>.pif
yours<username>.pif
document_<username>4351.pif
<username>_picture.pif
<username>_file.pif
<username>_message_details.pif
yourpicture<username>.pif
<username>_document_full.pif
<username>_your_message_part2.pif
<username>information.pif
<username>document.pif
<username>_your_document.pif


Payload

Upon execution, Netsky.K creates a mutex named "SkYnEt_AVP" in order to ensure only one instance of the worm is running.

The worm will copy itself to the WINDOWS folder under the file name Avpguard.exe.

The worm creates the following registry key to run itself at Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"MyAV" = "%windir%\avpguard.exe -av serv"

The worm will delete the following registry keys which some are associated with other viruses, Trojans, and applications:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Taskmon
Explorer
Windows Services Host
system.
msgsvr32
DELETE ME
service
Sentry

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Taskmon
Explorer
Windows Services Host
d3dupdate.exe
au.exe
OLE
gouday.exe
rate.exe
sysmon.exe
srate.exe
ssate.exe
sate.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
system

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

The worm will scan the following file types on drives C: through Z: for email addresses:
.xml
.wsh
.jsp
.dhtm
.cgi
.shtm
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml

This worm will avoid sending messages to addresses containing the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis
noreply
automail
responder

The worm will query the following DNS servers for MX records to send to:
199.5.157.128
195.185.185.195
151.189.13.35
204.57.55.100
193.189.244.205
145.253.2.171
193.141.40.42
195.117.6.25
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
199.166.31.3
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
199.166.29.3
212.185.252.73
199.166.28.10

If the system time is between 10:00am and 10:59am on March 10, 2004, the computer's speaker will beep in a continuous loop for a random period of time at a random tone.

If the system date is March 13, 2004, the worm will display a message box title "Information" with the following text:
"SkyNet has the full control of your system"

On March 16, 2004 Netsky.K will listen for a connection on TCP port 26. If a connection is made, the worm will display a message box title "Information" with the following text:
"Please remove the file avpguard.exe from your Windows-Directory and do not open attachments anymore. It can be virus like bagle and mydoom or similar malicious code. This is the Skynet-Antivirus!"

It will then delete the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"MyAV" = "%windir%\avpguard.exe -av serv"


Preventative Measures

Block all attachments containing the .PIF extension at the message gateway where possible.
Block all traffic to the following IP addresses:
199.5.157.128
195.185.185.195
151.189.13.35
204.57.55.100
193.189.244.205
145.253.2.171
193.141.40.42
195.117.6.25
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
199.166.31.3
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
199.166.29.3
212.185.252.73
199.166.28.10


Fixes Available

Network Associates:
No information at time of alert.

Symantec:
Virus Definitions (Intelligent Updater): March 09, 2004
Virus Definitions (LiveUpdate): March 10, 2004

Trend:
No information at time of alert.