high
Summary
Summary
Action- More Information
| Protection available since | 5 March 2004 10:52:35 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Netsky-H.
More Information
W32/Netsky-H is a worm that spreads via email.
In order to run automatically when the user logs on to the computer the worm
copies itself to the file maja.exe in the Windows folder and creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus
= "<Windows>\maja.exe -antivirus service"
The worm attempts to disable various anti-virus and security related applications as well as other worm processes by deleting registry entries used by them.
In particular it attempts to delete the following values:
Taskmon, Explorer, KasperskyAv, system., msgsvr32, DELETE ME, service, Sentry, Windows Service Host
below the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm deletes the following values:
Taskmon, Explorer, KasperskyAv, d3dupdate.exe, au.exe, OLE,
Windows Service Host, gouday.exe, rate.exe, sate.exe, ssate.exe, srate.exe, sysmon.exe.
below the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Netsky-H also deletes the following registry entries:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKCU\System\CurrentControlSet\Services\WksPatch
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
These entries are partly produced by the different variants of the W32/Bagle and W32/MyDoom families of worms.
W32/Netsky-H harvests email addresses from files on all local drives which have
one of the following extensions:
DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft.
In order to spread the worm creates several threads that send emails containing
the worm as an attachment to the harvested addresses. W32/Netsky-H uses its
own SMTP engine to send the mail.
Emails have the following characteristics:
Subject lines:
Re: Your briefing
Re: Your picture
Re: Your loveletter
Re: Your TAN
Re: Your PIN
Re: Your bill
Re: Your details
Re: My details
Re: Zipped folder
Re: Secound Part
Re: Part 3
Re: Part 2
Re: Your application
Re: Your data
Re: Index
Re: Appending
Re: Hello
Re: Hi
Re: Your encrypted file
Re: Your folder
Re: Your file
Re: Yours
Re: Here the file
Re: Approved
Re: Document
Re: Samples
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached files:
your_briefing.scr
your_pic.scr
your_letter.scr
your_tan_33.scr
your_pin_88.scr
your_bill.scr
your_details.scr
document_word.scr
document_excel.scr
my_details.scr
all_document.scr
application.scr
mp3music.scr
yours.scr
document_4351.scr
your_picture.scr
your_file.scr
message_details.scr
your_picture.pif
document_full.scr
message_part2.scr
document.scr
your_document.scr
your_smaples.scr
On 8 March 2004 at 11:00 AM W32/Netsky-H plays random sounds for one hour.
|
