The following has been derived from information provided by F-Secure and Computer Associates.

Virus Characteristics

Netsky.G is a mass mailing worm which contains its own SMTP engine, and will arrive as an email with a spoofed sender address, and the following characteristics:

Subject: (One of the following)
Re: Document
Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

Message body: (one of the following)
Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.

Attachment Name: (One of the following)
your_document.pif
your_document.pif
document.pif
message_part2.pif
your_document.pif
document_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

In order to harvest email addresses, the worm scans all available drives including any mapped drives (except CD-ROM drives) for e-mail addresses found in files with the following extensions:
.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm

However, Netsky.G avoids sending e-mails to addresses that contain any of the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
andasoftwa
freeav
sophos
antivir
iruslis

When run, the worm installs itself by copying itself to the Windows System folder (%Windir%) as AVGUARD.EXE. It then creates a startup key in the System Registry to ensure execution during Windows Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Special Firewall Service" = "%windir%\avguard.exe -av service"

The worm also creates a mutex named "Netsky AV Guard" to avoid running more than one instance of itself.

The NetSky.G worm variant deletes the following registry keys if they are found in an attempt to disinfect systems that may be infected with several variants of W32.Bagle@mm. Below is a list of keys that are deleted:


HKEY_CURRENT_USER\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"system."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"KasperskyAv"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Explorer"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Taskmon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"system."

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"msgsvr32"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"DELETE ME"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"service"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Sentry"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Services Host"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"KasperskyAv"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Explorer"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"OLE"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows Services Host"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"d3dupdate.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"au.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"sysmon.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"rate.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"gouday.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"sate.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"ssate.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"srate.exe"

This variant does not copy itself to folders that contain the "shar" string as previous variants have.

It is also reported that on March 10th, 2004 the worm constantly beeps with the PC speaker from 6:00am to 8:59am.


Payload

Mass mailing
Modifies/Deletes Registry Keys
Generates Beeping sounds from the PC speaker


Preventative Measures

Block all incoming messages that contain .pif and .zip files attached at the messaging gateway.


Fixes Available

Information unavailable at time of alert.