high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | May 2004 (3.81) |
| Protection available since | 31 March 2004 01:46:45 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-R is a mass mailing worm which spreads by emailing itself to addresses harvested from files on local drives.
When first run W32/Netsky-R opens the application NOTEPAD.EXE.
The worm copies itself to the Windows folder as pandaavengine.exe, as well as
dropping a DLL file to the Windows folder as temp09094283.dll.
W32/Netsky-R harvests email addresses from files with the following extensions:
EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS, RTF, UIN, SHTM,
CGI, DHTM, ADB, TBB, DBX, PL, HTM,HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH, ODS, STM, XLS, PPT
W32/Netsky-R also adds the email address jena@yahoo.cz to the list of addresses it harvests.
W32/Netsky-R drops the file uinmzertinmds.opm to the Windows folder. This is a
Base64 encoded form of itself.
The email has the following charateristics:
Subject line:
Re: Document<random number>
Message text:
Excuse me,
the important document is attached,
Yours sincerely
Attached file (PIF extension):
Document<random number>
W32/Netsky-R will attempt to launch a Denial Of Service attack on the following
websites between the 12th and 16th April 2004:
www.keygen.us
www.cracks.am
www.emule-project.net
www.emule.de
www.kazaa.com
W32/Netsky-R contains the following encrypted message:
"Yes, true, you have understand it.
Bagle is a shitty guy, he opens a backdoor
and he makes a lot of money. Netsky not, Netsky
is Skynet, a good software, Good guys behind it.
Believe me, or not.
We will release thousands of our
Skynet versions, as long as bagle is there and the
people...
Thanks to Bruce Schneider.
And to all people in cz and russia.
Best regards - We are the only SkyNet." W32/Netsky-R is a mass mailing worm which spreads by emailing itself to addresses harvested from files on local drives.
When first run W32/Netsky-R opens the application NOTEPAD.EXE.
The worm copies itself to the Windows folder as pandaavengine.exe, as well as
dropping a DLL file to the Windows folder as temp09094283.dll. The worm then sets the following registry entry so as to run itself on system logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PandaAVEngine
The worm tries to delete the following registry entries:
HKR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32
HKR\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKR\System\CurrentControlSet\Services\WksPatch
The worm also attempts to delete a number of other registry entries. Some of the
deleted registry entries are related to the W32/Bagle family of worms.
W32/Netsky-R harvests email addresses from files with the following extensions:
EML, TXT, PHP, ASP, WAB, DOC, SHT, OFT, MSG, VBS, RTF, UIN, SHTM,
CGI, DHTM, ADB, TBB, DBX, PL, HTM,HTML, JSP, WSH, XML, CFG, MBX, MDX, MHT, NMF, NCH, ODS, STM, XLS, PPT
W32/Netsky-R also adds the email address jena@yahoo.cz to the list of addresses it harvests.
W32/Netsky-R drops the file uinmzertinmds.opm to the Windows folder. This is a
Base64 encoded form of itself.
The email has the following charateristics:
Subject line:
Re: Document<random number>
Message text:
Excuse me,
the important document is attached,
Yours sincerely
Attached file (PIF extension):
Document<random number>
W32/Netsky-R will attempt to launch a Denial Of Service attack on the following
websites between the 12th and 16th April 2004:
www.keygen.us
www.cracks.am
www.emule-project.net
www.emule.de
www.kazaa.com
W32/Netsky-R contains the following encrypted message:
"Yes, true, you have understand it.
Bagle is a shitty guy, he opens a backdoor
and he makes a lot of money. Netsky not, Netsky
is Skynet, a good software, Good guys behind it.
Believe me, or not.
We will release thousands of our
Skynet versions, as long as bagle is there and the
people...
Thanks to Bruce Schneider.
And to all people in cz and russia.
Best regards - We are the only SkyNet."
|
