high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | June 2004 (3.82) |
| Protection available since | 20 April 2004 08:20:08 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr= C:\<WindowsFolder>\FirewallSvr.exe
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-Y is a mass mailing worm with a backdoor component.
The worm copies itself to the Windows folder using the name FirewallSvr.exe, creates a file called fuck_you_bagle.txt (a base64 encoded form of the worm) and sets the following registry entry to autostart on user login:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr= C:\<WindowsFolder>\FirewallSvr.exe
W32/Netsky-Y has a backdoor component listening for connections on TCP port 1549 allowing an unauthorised program to download and execute arbitrary code on the infected computer.
The worm harvests email addresses from files on the local drives with the following extensions:
adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml.
Generated emails typically have the following form:
Subject lines:
Re: document
Re: dokument
Re: documento
Re: original
Re: documentet
Re: udokumentowac
Re: dokumentoida
Re: dokumenten
Re: belge
Message texts:
Please read the document.
Bitte lesen Sie das Dokument.
Veuillez lire le document.
Legga prego il documento.
Leia por favor o original.
Behage lese dokumentet.
Podobac sie przeczytac ten udokumentowac.
Haluta kuulua dokumentoida.
Behaga lősa dokumenten.
Mutlu etmek okumak belgili tanimlik belge
Attached file:
<name>.<country code>.pif
where name may be nothing or chosen from:
document
dokument
documento
original
dokumentet
udokumentowac
dokumentoida
dokumenten
belge
and the country code is chosen from:
xx, de, fr, it, pt, no, pl, fi, se, tc.
W32/Netsky-Y sends DNS queries for the following servers:
"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"
Between 27th and 31st April 2004 the worm will continuously request web
pages from the following sites:
"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch"
W32/Netsky-Y is a mass mailing worm with a backdoor component.
The worm harvests email addresses from files on the local drives with the following extensions:
adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml.
Generated emails typically have the following form:
Subject lines:
Re: document
Re: dokument
Re: documento
Re: original
Re: documentet
Re: udokumentowac
Re: dokumentoida
Re: dokumenten
Re: belge
Message texts:
Please read the document.
Bitte lesen Sie das Dokument.
Veuillez lire le document.
Legga prego il documento.
Leia por favor o original.
Behage lese dokumentet.
Podobac sie przeczytac ten udokumentowac.
Haluta kuulua dokumentoida.
Behaga lősa dokumenten.
Mutlu etmek okumak belgili tanimlik belge
Attached file:
<name>.<country code>.pif
where name may be nothing or chosen from:
document
dokument
documento
original
dokumentet
udokumentowac
dokumentoida
dokumenten
belge
and the country code is chosen from:
xx, de, fr, it, pt, no, pl, fi, se, tc.
W32/Netsky-Y sends DNS queries for the following servers:
"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8"
Between 27th and 31st April 2004 the worm will continuously request web
pages from the following sites:
"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch"
|
