high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Protection available since | 11 March 2004 04:34:35 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtect=
<Windows folder>\AVprotect9x.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-M is a mass mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.
W32/Netsky-M harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, VBS, RTF, UIN, ADB, TBB, DBX, ASP, WAB, DOC, SHT,OFT, MSG, JSP, WSH, XML, SHTM, CGI, DHTM
Emails have the following characteristics:
Subject lines:
Re: <recipient_name> Requested file
Re: <recipient_name> My file
Re: <recipient_name> My document
Re: <recipient_name> My information
Re: <recipient_name> My details
Re: <recipient_name> Information
Re: <recipient_name> Improved
Re: <recipient_name> Requested document
Re: <recipient_name> Document
Re: <recipient_name> Details
Re: <recipient_name> Your document
Re: <recipient_name> Your details
Re: <recipient_name> Approved
Message texts:
Details for <attached_filename>.
Document <attached_filename>.
I have received your document. The improved document <attached_filename> is attached.
I have attached your document <attached_filename>.
Your document <attached_filename> is attached to this mail.
Authentification for <attached_filename> required.
Requested file <attached_filename>.
See the file <attached_filename>.
Please read the important message msg_<attached_filename>.
Please confirm the document <attached_filename>.
<attached_filename> is attached.
Your file <attached_filename> is attached.
Please read the document <attached_filename>.
Your document <attached_filename> is attached.
Please read the attached file <attached_filename>.
Please see the attached file <attached_filename> for details.
Attached file (extension PIF):
<recipient_name>
improved_<recipient_name>
message_<recipient_name>
detailed_<recipient_name>
your_document_<recipient_name>
word_doc_<recipient_name>
doc_<recipient_name>
articel_<recipient_name>
picture_<recipient_name>
file_<recipient_name>
your_file_<recipient_name>
details_<recipient_name>
document_<recipient_name>
W32/Netsky-M is a mass mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.
The worm copies itself to the Windows folder as AVPROTECT9X.EXE and adds the following registry entry to run itself whenever the user logs on to the computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\9XHtProtect=
<Windows folder>\AVprotect9x.exe
W32/Netsky-M harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, VBS, RTF, UIN, ADB, TBB, DBX, ASP, WAB, DOC, SHT,OFT, MSG, JSP, WSH, XML, SHTM, CGI, DHTM
Emails have the following characteristics:
Subject lines:
Re: <recipient_name> Requested file
Re: <recipient_name> My file
Re: <recipient_name> My document
Re: <recipient_name> My information
Re: <recipient_name> My details
Re: <recipient_name> Information
Re: <recipient_name> Improved
Re: <recipient_name> Requested document
Re: <recipient_name> Document
Re: <recipient_name> Details
Re: <recipient_name> Your document
Re: <recipient_name> Your details
Re: <recipient_name> Approved
Message texts:
Details for <attached_filename>.
Document <attached_filename>.
I have received your document. The improved document <attached_filename> is attached.
I have attached your document <attached_filename>.
Your document <attached_filename> is attached to this mail.
Authentification for <attached_filename> required.
Requested file <attached_filename>.
See the file <attached_filename>.
Please read the important message msg_<attached_filename>.
Please confirm the document <attached_filename>.
<attached_filename> is attached.
Your file <attached_filename> is attached.
Please read the document <attached_filename>.
Your document <attached_filename> is attached.
Please read the attached file <attached_filename>.
Please see the attached file <attached_filename> for details.
Attached file (extension PIF):
<recipient_name>
improved_<recipient_name>
message_<recipient_name>
detailed_<recipient_name>
your_document_<recipient_name>
word_doc_<recipient_name>
doc_<recipient_name>
articel_<recipient_name>
picture_<recipient_name>
file_<recipient_name>
your_file_<recipient_name>
details_<recipient_name>
document_<recipient_name>
|
