high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | June 2004 (3.82) |
| Protection available since | 20 April 2004 20:09:58 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr= C:\<WindowsFolder>\FirewallSvr.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-X is an email worm with backdoor functionality similar to W32/Netsky-Y
The worm arrives in an email with the following characteristics:
Subject: Delivery failure notice (ID-<8_digit_random_hex_number>)
Body text:
--- Mail Part Delivered ---
220 Welcome to [ recipient_domain_name ]
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.nt2.kl.recipient_domain_name
Exim Status OK
External or New or Delivered or Partial message is available.
Attachment: www.recipient_domain_name.recipient_username.session
--<8_digit_random_hex_number_as_in_subject>.com
W32/Netsky-X has a backdoor component listening for connections on TCP port 82 allowing an unauthorized program to download and execute arbitrary code on the infected computer.
The worm harvests email addresses from files on the local drives with the following extensions:
adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml.
W32/Netsky-X sends DNS queries for the following servers:
"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"
Between 27 and 30 April 2004 the worm will continuously request web
pages from the following sites:
"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch"
W32/Netsky-X is an email worm with backdoor functionality similar to W32/Netsky-Y
The worm copies itself to the Windows folder using the name FirewallSvr.exe, creates a file called fuck_you_bagle.txt (a base64 encoded form of the worm) and sets the following registry entry to autostart on user login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr= C:\<WindowsFolder>\FirewallSvr.exe
The worm arrives in an email with the following characteristics:
Subject: Delivery failure notice (ID-<8_digit_random_hex_number>)
Body text:
--- Mail Part Delivered ---
220 Welcome to [ recipient_domain_name ]
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.nt2.kl.recipient_domain_name
Exim Status OK
External or New or Delivered or Partial message is available.
Attachment: www.recipient_domain_name.recipient_username.session
--<8_digit_random_hex_number_as_in_subject>.com
W32/Netsky-X has a backdoor component listening for connections on TCP port 82 allowing an unauthorised program to download and execute arbitrary code on the infected computer.
The worm harvests email addresses from files on the local drives with the following extensions:
adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml.
W32/Netsky-X sends DNS queries for the following servers:
"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"
Between 27 and 30 April 2004 the worm will continuously request web
pages from the following sites:
"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch"
|
