W32.Netsky family of worms

Discovery began in February 2004

W32.Netsky family of worms scans for email addresses on all non-CD-ROM drives on the infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.

The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .pif extension.

All variants of Netsky spread as e-mail attachments. As a good computer security practice, don't open any attachments that you are not expecting. Since the message could appear to be sent from an address you know, be very careful with attachments from any source. If you are unsure, you may wish to e-mail that person to verify the attachment is safe.


There is a removal tool for the more common variants of the Netsky virus. For more information about the removal tool, please visit this Symantec webpage.

You can find more information and removal instructions as tools for each variant from Symantec from the following links: