high
Summary
Summary
Action- More Information
| Included in our products from | April 2004 (3.80) |
|---|---|
| Protection available since | 4 March 2004 17:10:40 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing W32/Netsky-G.
More Information
W32/Netsky-G is a worm that spreads via email.
In order to run automatically when Windows starts up the worm copies itself to the file avguard.exe in the Windows folder and creates the registry entry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Special Firewall Service
= "C:\WINDOWS\avguard.exe -av service"
The worm attempts to disable various anti-virus and security related applications as well as other worms by deleting registry entries used by them.
In particular the worm deletes the following entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Host
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Exporer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Host
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gouday.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ssate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\srate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysmon.exe
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKCU\System\CurrentControlSet\Services\WksPatch
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
Some of the the registry entries removed by W32/Netsky-G are produced by variants of the W32/Bagle family of worms.
W32/Netsky-G scans all local drives for files with one of the extensions
.dhtm
.cgi
.shtm
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
and attempts to extract email addresses from them. The worm skips email addresses containing the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
spam
ymantec
antivi
icrosoft
In order to spread the worm creates 16 threads that send emails to the harvested addresses containing the worm as an attachment. W32/Netsky-G uses its own SMTP engine to send the mail. The subjects lines, message texts and attached filenames are randomly chosen from the following possibilities:
Subject line:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
Message text:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attachment filename:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif.
In some cases W32/Netsky-G creates a zip archive of the attachment before sending the email. The filename will be one from the list above with a ZIP extension. The attached ZIP file is not password protected.
On 10 March 2004 W32/Netsky-G plays random sounds between 6 a.m. and 8 a.m.
|
