high
Summary
Summary
Action- More Information
| Protection available since | 15 April 2004 01:08:37 (GMT) |
|---|---|
| Last updated | 20 April 2004 15:47:50 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HLKM\Software\Microsoft\Windows\CurrentVersion\Run
and remove any reference to any file you deleted.
Close the registry editor.
More Information
W32/Netsky-V is a worm which uses a combination of email, HTTP and FTP to spread. The worm itself is a Windows program (EXE) file.
W32/Netsky-V searches your hard disk for email addresses and sends email directly to them. Note that these emails do not contain an attached copy of W32/Netsky-V. Instead, they contain HTML instructions to fetch a copy of the worm. The emails use a subject and message randomly selected from the following:
Subject line:
Mail Delivery Sytem failure
Mail delivery failed
Server Status failure
Gateway Status failure
Visible message text:
The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message...
W32/Netsky-V opens up two TCP ports on your computer. An HTTP service listens on port 5557 and an FTP service listens on port 5556. These ports are used to "serve up" the virus to downstream victims to whom you have sent copies of the email mentioned above.
Downstream victims can become infected simply by reading an email sent by the virus. Note, however, that this email relies on a bug in Microsoft Outlook for which a patch has already been published. If you have downloaded and applied up-to-date patches from Microsoft, then the exploit used by this email will not work and the email is harmless.
If your computer has an unpatched copy of Outlook, the W32/Netsky-V email makes an HTTP (web) connection back to port 5557 on the computer which sent you the email. This web connection is used to download a second HTML script. This script in turn exploits a second bug in Outlook to make an FTP connection back to port 5556. The FTP connection is used to download, install and run the W32/Netsky-V worm.
W32/Netsky-V is installed into your Windows folder with the name KasperskyAVEng.exe. The worm adds the registry value:
KasperskyAVEng
to the registry key:
HLKM\Software\Microsoft\Windows\CurrentVersion\Run
so that it runs automatically every time you logon to your computer.
Between 22 April 2004 and 28 April 2004, W32/Netsky-V mounts a denial of service attack against the following sites:
www.keygen.us
www.freemule.net
www.kazaa.com
www.emule.de
www.cracks.am
The denial of service consists of four redundant HTML requests to each of these sites every second.
|
