W32/Netsky-L

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	10 March 2004 16:32:14 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Netsky-L is a worm that arrives in an email with the following characteristics:
Subject line: one of the following -
Re: Important
Re: Your document
Re: Your details
Re: Approved

Message text: one of the following -
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.

The attached filename has the following construction:
<word>_<user name of recipient>.pif
or
<user name of recipient>.pif
where <word> is one of:
your_file_
details_
document_

and the user name is taken from the string preceeding the "@" in the recipient's email address.

For example if the recipient's email address is Joe.Bloggs@example.com then the attached file could be details_Joe.Bloggs.pif

When W32/Netsky-L is run a copy will be created in the Windows folder with the filename AVprotect.exe and the following registry entry will be created so that the worm is run when the victim logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HtProtect

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Netsky-L

Summary

Action

More Information