W32/Netsky-O

Please follow the instructions for removing worms.

W32/Netsky-O is a worm that spreads via email.

In order to run automatically when Windors boots up the worm copies itself to the file AVBgle.exe in the Windows folder and sets the following registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsInfo
= C:\Windows\AVBgle.exe.

The worm attempts to disable various anti-virus and security-related applications by deleting registry entries used by them.

In particular it attempts to delete entries below
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
for Taskmon, Explorer, KasperskyAv, system., msgsvr32, DELETE ME,
service, Sentry, Windows Service Host

and below HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
for Taskmon, Explorer, KasperskyAv, d3dupdate.exe, au.exe, OLE,
Windows Service Host, gouday.exe, rate.exe, sysmon.exe, srate.exe
and ssate.exe.

The worm also deletes the following entries :

HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices\system
HKCR\CLSID\E6FB5E20-DE35-11CF-9C87-00AA005127ED\InProcServer32
HKCU\System\CurrentControlSet\Services\WksPatch
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

These entries are partly produced by the different variants of the W32/Bagle family of worms.

W32/Netsky-O scans all local drives for files with an extension of XML, WSH, JSP, DHTM, CGI, SHTM, MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT or EML and attempts to extract email addresses from them.

In order to spread the worm creates 16 threads that send emails containing the worm as an attachment to the harvested addresses. W32/Netsky-O uses its own SMTP engine to send the mail. The subject lines, message texts and attachment filenames are randomly chosen from the following possibilities:

Subject lines:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Message texts:
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment filenames:
readme.pif
document.pif
data.pif
details.pif
message.pif

The message text will also contain one of the following bogus anti-virus signatures:

+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com

+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com

+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com

+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.de.