high
Summary
Summary
Action- More Information
| Protection available since | 7 March 2004 23:21:44 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Netsky-I.
More Information
W32/Netsky-I is a mass mailing worm that uses its own SMTP engine to email
itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the worm copies itself to the file fooding.exe in the Windows folder and creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Tiny AV = "<Windows>\fooding.exe -antivirus service"
The worm attempts to disable various anti-virus and security related applications as well as other worm processes by deleting registry entries used by them.
In particular it attempts to delete the following values:
Taskmon, Explorer, system., msgsvr32, DELETE ME, service, Sentry, Windows Services Host
below the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm deletes the following values:
Explorer, d3dupdate.exe, au.exe, OLE, Windows Services Host, gouday.exe, rate.exe, sate.exe, ssate.exe, srate.exe, sysmon.exe.
below the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Netsky-I also deletes the following registry entries:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKLM\System\CurrentControlSet\Services\WksPatch
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
Some of the above entries are created by the different variants of the W32/Bagle and W32/MyDoom families of worms.
W32/Netsky-I harvests email addresses from files on all local drives which have
one of the following extensions:
DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
Emails have the following characteristics:
Subject lines:
Mail account expired
Mail account closed
Mail account deactivated
Message texts:
Your mail account expired. Please follow the link to reactivate.
Your mail account has been closed. Click on the link for further details.
Your mail account has been deactivated. To reactivate, follow the link.
Note, the message text ends with a string which implies an internet site which
is simply a pointer to the attached file.
Attached file:
http://www.<recipient_domain_name>/<recipient_name>/index.scr
On 5 March 2004 at 11:00 AM W32/Netsky-I plays random sounds for one hour.
|
