high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | May 2004 (3.81) |
| Protection available since | 5 April 2004 00:19:18 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV =
<Windows>\EasyAV.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-S is a mass mailing worm with a backdoor component.
The worm harvests email addresses from files on the local drives with the following extensions:
SHT, ADB, TBB, WAB, DBX, OFT, DOC, MSG
Generated emails typically have the following form:
Subject lines:
Hi
Hello
Re: Hi
Re: Hello
Approved
Re: Approved
Thank you!
Re: Thanks you!
Request
Re: Request
Your document
Re: Your document
Your details
Re: Your details
Your information
Re: Your information
My details
Important
Re: Important
Message texts:
Hi!
Hello!
Please read the <attached_filename>.
Please have a look at the <attached_filename>.
Here is the <attached_filename>.
The <attached_filename> is attached.
Please see the <attached_filename>.
I have sent the <attached_filename>.
The requested <attached_filename> is attached!
Here is the document.
See the document for details.
Please have a look at the attached document.
Please read the attached document.
Your file is attached to this mail.
Please, <attached_filename>.
Your <attached_filename> is attached.
My <attached_filename> is attached.
I have found the <attached_filename>.
Approved, here is the document.
For more information see the attached document.
For more details see the attached document.
Please read quickly.
Please notice the attached document.
Please notice the attached <attached_filename>.
Your <attached_filename>.
I have spent much time for your document.
I have spent much time for the <attached_filename>.
The <attached_filename>.
My <attached_filename>.
Note that I have attached your document.
Thanks
Thank you
Yours sincerely
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus'
+++ Visit us: www.f-secure.com
Attached file:
approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq number
report
story
concept
developement
sample
postcard
account
Note, the attached filename is concatenated with a random digit and has a PIF extension.
Between 14 and 23 April 2004 the worm will attempt a denial of service attack on the following sites by continously requesting web pages from them:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
W32/Netsky-S is a mass mailing worm with a backdoor component. The worm copies itself to the Windows folder using the name EasyAV.exe, creates a file called uinmzertinmds.opm (a base64 encoded form of the worm) and sets the following registry entry to auto start on user login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV =
<Windows>\EasyAV.exe
W32/Netsky-S has a backdoor component listening for connections on TCP port 6789 allowing an unauthorised program to download and execute arbitrary code on the infected computer.
The worm harvests email addresses from files on the local drives with the following extensions:
SHT, ADB, TBB, WAB, DBX, OFT, DOC, MSG
Generated emails typically have the following form:
Subject lines:
Hi
Hello
Re: Hi
Re: Hello
Approved
Re: Approved
Thank you!
Re: Thanks you!
Request
Re: Request
Your document
Re: Your document
Your details
Re: Your details
Your information
Re: Your information
My details
Important
Re: Important
Message texts:
Hi!
Hello!
Please read the <attached_filename>.
Please have a look at the <attached_filename>.
Here is the <attached_filename>.
The <attached_filename> is attached.
Please see the <attached_filename>.
I have sent the <attached_filename>.
The requested <attached_filename> is attached!
Here is the document.
See the document for details.
Please have a look at the attached document.
Please read the attached document.
Your file is attached to this mail.
Please, <attached_filename>.
Your <attached_filename> is attached.
My <attached_filename> is attached.
I have found the <attached_filename>.
Approved, here is the document.
For more information see the attached document.
For more details see the attached document.
Please read quickly.
Please notice the attached document.
Please notice the attached <attached_filename>.
Your <attached_filename>.
I have spent much time for your document.
I have spent much time for the <attached_filename>.
The <attached_filename>.
My <attached_filename>.
Note that I have attached your document.
Thanks
Thank you
Yours sincerely
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus'
+++ Visit us: www.f-secure.com
Attached file:
approved_file
list
corrected_document
archive
abuse_list
presentation_document
instructions
details
improved_document
note
message
contact_list
number_list
file
secound_document
improved_file
user_list
textfile
new_document
text
information
info
word_document
excel_document
powerpoint_document
detailed_document
homepage
letter
mail
document
old_document
approved_document
movie_document
picture_document
summary
description
requested_document
notice
bill
answer
release
final version
diggest
important_document
order
photo_document
personal_message
phone_number
e-mail
icq number
report
story
concept
developement
sample
postcard
account
Note, the attached filename is concatenated with a random digit and has a PIF extension.
Between 14 and 23 April 2004 the worm will attempt a denial of service attack on the following sites by continously requesting web pages from them:
www.cracks.am
www.emule.de
www.kazaa.com
www.freemule.net
www.keygen.us
|
