high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 19 March 2004 12:20:51 (GMT) |
| Last updated | 17 June 2009 23:14:44 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Delete any unwanted dropped files.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
NetDy= <Windows>\VisualGuard.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-N is a mass-mailing worm which spreads by emailing itself to
addresses harvested from files on the local drives.
The worm copies itself to the Windows folder as VisualGuard.exe and adds the
following registry entry to run itself whenever the user logs on to the
computer:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetDy=
<Windows>\VisualGuard.exe
W32/Netsky-N harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB,
DBX, SHT, OFT, MSG, JSP, WSH, XML.
Emails have the following characteristics:
Subject lines: constructed from the following groups of strings
"Re:"
"Re:re:"
"my "
"approved "
"important "
"document"
"file"
"details"
"information"
"letter"
"product"
"website"
"application"
"screensaver"
"bill"
"word document"
"excel document"
"data"
"message"
"text"
"document_all"
"hi"
"hello"
"thanks!"
"approved"
"corrected"
"patched"
"improved"
"important"
"read it immediately"
Message texts: chosen from
"Please see the attached file for details."
"Please read the attached file."
"Your document is attached."
"Please read the document."
"Your file is attached."
"Your document is attached."
"Please confirm the document."
"Please read the important document."
"See the file."
"Requested file."
"Authentication required."
"Your document is attached to this mail."...
"I have attached your document."
"I have received your document. The corrected document is attached."
followed by the
<attached filename>: No virus found
>n OnlineScan
followed by the logo of the certain anti-virus company
Attached file:
<filename>_ <recipient_name>.<extension>
<filename> chosen from:
"document"
"file"
"details"
"information"
"letter"
"product"
"website"
"application"
"screensaver"
"bill"
"word document"
"excel document"
"data"
"message"
"text"
"document_all"
<extension> chosen from:
EXE
SCR
PIF
ZIP
W32/Netsky-N attempts to delete registry entries
which may be set by variants of the W32/Mydoom and W32/Bagle worms.
W32/Netsky-N also creates a number of the TMP files in the
Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp,
zip4.tmp, zip5.tmp, zip6.tmp, zipped.tmp.
|
