{
	"id": "2fd47c3c-1333-412b-8dc5-137cec3047d6",
	"created_at": "2026-04-06T00:15:48.714327Z",
	"updated_at": "2026-04-10T13:11:39.186863Z",
	"deleted_at": null,
	"sha1_hash": "ca38e5860ec821d2fcca846b424349349cb1120b",
	"title": "Worm:W32/NetSky.H | F-Secure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 89480,
	"plain_text": "Worm:W32/NetSky.H | F-Secure\r\nArchived: 2026-04-05 13:29:00 UTC\r\nClassification\r\nAliases:\r\nNetSky.H, W32/NetSky.H@mm, I-Worm.NetSky.h, W32.NetSky.H@mm\r\nSummary\r\nYet another NetSky worm variant - NetSky.H was found on 5th of March 2004. This variant is very close to\r\nNetSky.G variant. It spreads itself in emails as an executable attachment.This worm contains another, but this time\r\nless insulting message for the authors of Bagle and Mydoom. And like its previous variants NetSky.H tries to\r\nuninstall Bagle worm variants from an infected computer.\r\nRemoval\r\nBased on the settings of your F-Secure security product, it will either move the file to the quarantine where it\r\ncannot spread or cause harm, or remove it.\r\nA False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles\r\nknown harmful programs. A False Positive will usually be fixed in a subsequent database update without any\r\naction needed on your part. If you wish, you may also:\r\nCheck for the latest database updates\r\nFirst, check if your F-Secure security program is using the latest updates, then try scanning the file again.\r\nSubmit a sample\r\nAfter checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.\r\nNote: If the file was moved to quarantine, you need to collect the file from quarantine before you can\r\nsubmit it.\r\nExclude a file from further scanning\r\nIf you are certain that the file is safe and want to continue using it, you can exclude it from further scanning\r\nby the F-Secure security product.\r\nNote: You need administrative rights to change the settings.\r\nTechnical Details\r\nhttps://www.f-secure.com/v-descs/netsky-h.shtml\r\nPage 1 of 5\n\nDescriptions of all previous NetSky worm variants can be found here:\r\nW32/NetSky.A@mm\r\nW32/NetSky.B@mm\r\nW32/NetSky.C@mm\r\nW32/NetSky.D@mm\r\nW32/NetSky.E@mm\r\nW32/NetSky.F@mm\r\nW32/NetSky.G@mm\r\nThe worm's file is a PE executable file 22528 bytes long, packed with PE-Pack file compressor. The unpacked\r\nfile's size is over 28 kilobytes.\r\nOn March 8th, 2004 the worm constantly beeps with PC speaker from 11:00 to 11:59. Below is the link to the\r\nWAV file with the sound that the worm makes: https://www.f-secure.com/virus-info/v-pics/netsky_d.wav\r\nNetSky.H worm doesn't copy its files to shared folders.\r\nInstallation to system\r\nWhen run, the worm installs itself to system. It copies its file to Windows folder as MAJA.EXE and creates a\r\nstartup key for this file in System Registry:\r\n [HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run] \"Antivirus\" = \"%windir%\\maja.exe -antivirus se\r\nwhere %windir% represents Windows directory\r\nThe worm creates a mutex named \"MI[SkyNet.cz]SystemsMutex\" to avoid running more than one instance of\r\nitself.\r\nSpreading in emails\r\nNetSky.H worm has its own SMTP engine that it uses to send emails with infected attachments to all found email\r\naddresses. The worm uses different subjects, message body texts and attachment names in its emails.\r\nThe worm scans all available drives except CD-ROM drives for emails. It searches for email addresses in files\r\nwith the following extensions:\r\n .eml .txt .php .pl .htm .html .vbs .rtf .uin .asp .wab .doc .adb .tbb .dbx .sht .oft .msg .shtm .cgi\r\nThe subject for infected messages is selected from the following list:\r\n Re: Samples Re: Document Re: Approved Re: Here the file Re: Yours Re: Your file Re: Your folder Re:\r\nThe message body text for infected messages is selected from the following list:\r\nhttps://www.f-secure.com/v-descs/netsky-h.shtml\r\nPage 2 of 5\n\nYour document is attached. Here is the file. See the attached file for details. Please have a look a\r\nThe attachment name for infected messages is selected from the following list:\r\n your_smaples.scr your_document.scr document.scr message_part2.scr your_document.scr document_full.sc\r\nThe worm avoids sending emails to email addresses that contain any of the following substrings:\r\n icrosoft antivi ymantec spam avp f-secur itdefender orman cafee aspersky f-pro orton fbi abus messag\r\nDeleting Registry keys and disinfecting Bagle worm\r\nThe NetSky.H worm variant of the worm deletes the following Registry keys:\r\n [HKCR\\CLSID\\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\\InProcServer32] [HKCU\\Software\\Microsoft\\Windows\\\r\nNetSky.H worm removes Registry keys of several Bagle worm variants if it finds them on an infected computer.\r\nAt least the last 8 keys listed above belong to earlier Bagle variants.\r\nProtect your devices from malware with F‑Secure Total\r\nProtecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes\r\nthis easy, helping you to secure your devices in a brilliantly simple way.\r\nAward-winning antivirus and malware protection\r\nOnline browsing, banking, and shopping protection\r\n24/7 online identity and data breach monitoring\r\nUnlimited VPN service to safeguard your privacy\r\nPassword manager with private data protection\r\nChoose how many devices you want to protect to get started.\r\nhttps://www.f-secure.com/v-descs/netsky-h.shtml\r\nPage 3 of 5\n\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €69.99.\r\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €89.99.\r\nhttps://www.f-secure.com/v-descs/netsky-h.shtml\r\nPage 4 of 5\n\nFree customer support\r\nCancel anytime\r\nThe trial does not obligate you to buy the product\r\nTry Total 30 days for freeAfter 30 days your subscription will renew automatically for one year at €99.99.\r\nMore Support\r\nContact Support\r\nChat with with or call an agent.\r\nSource: https://www.f-secure.com/v-descs/netsky-h.shtml\r\nhttps://www.f-secure.com/v-descs/netsky-h.shtml\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.f-secure.com/v-descs/netsky-h.shtml"
	],
	"report_names": [
		"netsky-h.shtml"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434548,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ca38e5860ec821d2fcca846b424349349cb1120b.pdf",
		"text": "https://archive.orkl.eu/ca38e5860ec821d2fcca846b424349349cb1120b.txt",
		"img": "https://archive.orkl.eu/ca38e5860ec821d2fcca846b424349349cb1120b.jpg"
	}
}