high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 8 March 2004 20:38:51 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing W32/Netsky-J.
More Information
W32/Netsky-J is a mass mailing worm that uses its own SMTP engine to email itself to addresses harvested from files on local drives.
W32/Netsky-J harvests email addresses from files on all local drives which have one of the following extensions:
DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
Emails have the following characteristics:
Subject lines:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached filename:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
On 2 March 2004 at 6:00 AM W32/Netsky-J plays random sounds for three hours. W32/Netsky-J is a mass mailing worm that uses its own SMTP engine to email itself to addresses harvested from files on local drives.
In order to run automatically when the user logs on to the computer the worm copies itself to the file winlogon.exe in the Windows folder and creates the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
=<Windows folder>\winlogon.exe -stealth
The worm attempts to disable various anti-virus and security related applications as well as other worm processes by deleting registry entries used by them.
In particular it attempts to delete the following values:
Taskmon, Explorer, KasperskyAv, system., msgsvr32, DELETE ME, service, Sentry, Windows Services Host
below the registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The worm deletes the following values:
Explorer, KasperkyAv, d3dupdate.exe, au.exe, OLE, Windows Services Host
below the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
W32/Netsky-J also deletes the following registry entries:
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKLM\System\CurrentControlSet\Services\WksPatch
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
Some of the above entries are created by the different variants of the W32/Bagle and W32/MyDoom families of worms.
W32/Netsky-J harvests email addresses from files on all local drives which have one of the following extensions:
DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT, EML
The worm avoids email addresses containing the following strings:
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
Emails have the following characteristics:
Subject lines:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached filename:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
On 2 March 2004 at 6:00 AM W32/Netsky-J plays random sounds for three hours.
|
