Unable to kill virus - suspect netsky variant -

Posted on 2004-04-19
Last Modified: 2012-08-13
Win2k3 domain (4 servers)
Exchange 2k
20 users
Have recently installed GFI mailsweeper software as supicious of mails etc and it has shown returned messages to a user we do not have called "SALES37314939" (see below). This user has sent 2730+ messages in the past 6 days (since we switched the GFI on) -

Subject: - Email has different SMTP TO: and MIME TO: fields in the email addresses - Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:"

We cannot find any reference to this use in our AD or our exchange or on any server registry. I cannot find it in adsiedit (although there is no search facility so I may have missed it)
We have taken every PC and server off the network and booted them in safe mode - then run mcafee/ ca and norton netsky "fixers" which have yielded 6 occurences on the mail server and nothing else.

My own belief is that there is a rogue smtp service (which is how netsky is supposed to run) somewhere on my network - this is kind of bourne out by the fact that no mails were sent over the weekend.

Any ideas for tracking this down would be appreciated

Question by:BuckChrisBuck
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4

Author Comment

ID: 10860081
In addition, I have just done a text search for "SALES37314939" across c$ for the mail server and have found 7332 files in the badmail subdir in exchange, 3x358mb files in a log directory and 40x5mb files in the mdbdata directory.

Expert Comment

ID: 10867012
Does you AV softwrae identify the emails a Netsky?

The latest netsky (netsky.w) uses a file called 'C:\WINDOWS\VisualGuard.exe' maybe you could search your network for that.

If you know what version of the virus you are getting you can use to find the details then look up what the actual virus file is called.

If you're not sure of the version maybe you could scan your exchange server with stinger (, it should report the version (and clean it too).


Author Comment

ID: 10867167
Thanks for your response.
We have already run the stinger having booted in safe mode on not only the servers but all computers on our network over a one hour period last week.
We believe that it is both netsky.p and netsky.b as we have found indtances of both but even when trying to remove manually by changing regsitry keys as per the instructions, we cannot do it (the keys are already correct). The stinger did find 6 occurences of netsky on the exchange server and cleaned them but I believe that the smtp server sending out is not on the server as not emails were sent over the weekend.
Any other thoughts?


Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.


Expert Comment

ID: 10867389
I use a kixtart script ( that runs at logon that looks for some virus files and stops the user from logging on if it finds them.  This helps to locate problems on the network (I have 400+ PC's)

Netsky.p users:
Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe

To run it's self,

Netsky.b uses:
SERVICES.EXE (not the system folder version)
CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

Maybe you could use kixtart (or another script) to find these files on your PC's. Then clean any that are infected.

You could try something like...

   dir %windir%\fvprotect.exe
   if not errorlevel 2 goto Alertp

   dir %windir%\services.exe
   if not errorlevel 2 goto Alertb

   goto end

      echo you have netsky.p call your administrator
      goto end
      echo you have netsky.b call your administrator

Put this in a login script, if the files exist the error level is 0 so the script continues, if they don't exist it generates a level of 2 and will then do the notice. you could include a 'net send' command to send an alert to yourself.

Alternativly you could change the %windir% to \\[pc name]\admin$ and run the script from your PC. this assumes you have the admin$ share on your clients and you have access to them, of course you'll change hte [pc name] to the correct netbios name for the pc you want to check.


Author Comment

ID: 10879589
Thanks acmp, I put your idea to work- I needed to amend slightly adding a c: at the top so it checked locally and I also added a net name command in so that I cold easily see who was what.....
No dice however - all users logged on and none giving me any issues or showing these files.
According to my gateway, at 13:13:43 today my rogue user sent out 910 emails each to different addresses all the same size.
Frustrating problem this one.......

Expert Comment

ID: 10887081
Do the outgoing emails have any useful information in the headers?  Maybe you could post one for us to look at?


Author Comment

ID: 10888940
Have switched gateway to capture all inbound and outbound emails so I will post one as soon as we get it (they are random and usually about 900 in 1 second - cannot yet find a trigger. Chris

Author Comment

ID: 10898132
OK - Here is the header from one of 910 mails sent out this morning

Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.0);
       Tue, 13 Apr 2004 13:38:49 +0100
-----Original Message-----
Sent: 21 April 2004 19:07
TO: fields in the email addresses - failure notice

Hi. This is the qmail-send program at
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

Sorry, I couldn't find any host named (#5.1.2)

--- Below this line is a copy of the message.

Return-Path: <>
Received: (qmail 26787 invoked by uid 1002); 21 Apr 2004 18:06:50 -0000
Received: (qmail 26541 invoked from network); 21 Apr 2004 18:05:46 -0000
Received: from (HELO (
  by with SMTP; 21 Apr 2004 18:05:46 -0000
Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 18:25:21 +0100
Received: by (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id; Wed, 21 Apr 2004 18:20:20 +0100
Return-path: <>
Received: from (unverified []) by
 (Vircom SMTPRS with ESMTP id <> for <>;
 Wed, 21 Apr 2004 15:21:35 +0100
Received: from ( [])
 by (8.12.8/8.12.8) with ESMTP id i3LEMWBx027231
 for <>; Wed, 21 Apr 2004 15:22:33 +0100
Received: from [] (helo=dc1.LPC.local)
 by with smtp (Exim 4.30)
 id 1BGIYN-0003fn-Oa; Wed, 21 Apr 2004 14:18:21 +0000
Received: from dc1.LPC.local ([]) by dc1.LPC.local with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 15:16:37 +0100
Received: by dc1.LPC.local (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id; Wed, 21 Apr 2004 15:15:36 +0100
Received: from (actually host by dswu27 with SMTP (XT-PP) with ESMTP; Wed, 21 Apr 2004 15:03:51 +0100
Received: from ([]
 by with esmtp (Exim 4.30)
 id 1BGIJP-0002yK-8n
 for; Wed, 21 Apr 2004 15:03:17 +0100
Received: from ([]) by with Microsoft SMTPSVC(5.0.2195.5329);
  Wed, 21 Apr 2004 13:46:33 +0100
Received: by (Microsoft Connector for POP3 Mailboxes 5.00.2195) with SMTP (Global POP3 Download)
  id; Wed, 21 Apr 2004 13:45:47 +0100
Received: from (unverified []) by
 (Vircom SMTPRS with ESMTP id <> for <>;
 Wed, 21 Apr 2004 13:23:04 +0100
Received: from ([])
 by (8.12.8/8.12.8) with ESMTP id i3LCGIiB017804
 for <>; Wed, 21 Apr 2004 13:16:22 +0100
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.0);
  Tue, 13 Apr 2004 13:38:49 +0100
Subject: RE: Residential sites needed
Date: Wed, 10 Mar 2004 17:20:21 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/alternative;
Thread-Topic: Residential sites needed
Thread-Index: AcQGufjfKgvKAFHQTS+QtrGOCGuBogAACJtQAABa6vA=
From: "Sales" <>
content-class: urn:content-classes:message

Accepted Solution

acmp earned 250 total points
ID: 10916088
The first IP in the list is a private address,, does this match your IP range?

The second IP ( looks like a valid BT Openworld address.

The whole message look like a normal NDR (non delivery response) from

I'm not convinced that you have a virus. If I had to guess I'd say that you are either being used as a mail relay or someone is spooifing emails from your domain for spamming. the subject 'Residential sites needed' just sounds spammy to me.

Maybe you could check your email server is relay free at You may want to create an account (free) for a proper test, but the anonymous test may give some useful results


Author Comment

ID: 11004397
I have fixed this. Using the trend scanner seems to be the only way to get rid in our situation - once again we shut everything down - turned off the ethernet switches (to stop network activity) booted every machine in safe mode and ran Trend.
No virus activity for 2 weeks now so I guess this is a closed call. Thanks acmp for your help. You did not solve the problem, but would like to give you some points anayway for being so helpful.
I was unable to get the relay thing working - I tried several times but the registration email never came through so maybe the service has stopped - Chris

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question