high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 31 March 2004 01:46:45 (GMT) |
| Last updated | 17 June 2009 23:14:44 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-R is a mass mailing worm which spreads by emailing itself to
addresses harvested from files on local drives.
The worm copies itself to the Windows folder as pandaavengine.exe, as well as
dropping a DLL file to the Windows folder as temp09094283.dll. The worm then
sets the following registry entry so as to run itself on system startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine
The worm tries to delete the following registry entries:
HKR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32
HKR\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKR\System\CurrentControlSet\Services\WksPatch
The worm also attempts to delete a number of other registry entries. Some of the
deleted registry entries are related to the W32/Bagle family of worms.
W32/Netsky-R harvests email addresses from files with the following extensions:
EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS,
RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, PL, HTM,
HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH,
ODS, STM, XLS, PPT
W32/Netsky-R also adds the email address jena@yahoo.cz to the list of addresses
it harvests.
W32/Netsky-R drops the file uinmzertinmds.opm to the Windows folder. This is a
Base64 encoded form of itself.
The email has the following charateristics:
Subject line:
Re: Document<random number>
Message text:
Excuse me,
the important document is attached,
Yours sincerely
Attached file (PIF extension):
Document<random number>
W32/Netsky-R will attempt to launch a Denial Of Service attack on the following
websites between the 12th and 16th April 2004:
www.keygen.us
www.cracks.am
www.emule-project.net
www.emule.de
www.kazaa.com
W32/Netsky-R contains the following encrypted message:
"Yes, true, you have understand it.
Bagle is a shitty guy, he opens a backdoor
and he makes a lot of money. Netsky not, Netsky
is Skynet, a good software, Good guys behind it.
Believe me, or not.
We will release thousands of our
Skynet versions, as long as bagle is there and the
people...
Thanks to Bruce Schneider.
And to all people in cz and russia.
Best regards - We are the only SkyNet."
|
