high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | April 2005 (3.92) |
| Protection available since | 14 October 2004 04:04:38 (GMT) |
| Last updated | 22 March 2005 08:21:27 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsnMsgr = %WINDOWS%\MsnMsgrs.exe -alev
and delete it if it exists.
Close the registry editor.
More Information
W32/Netsky-AD is a worm that spreads by email and Windows network shares. W32/Netsky-AD is a worm that spreads by email and Windows network shares.
When run the worm copies itself to the Windows folder as MsnMsgrs.exe and creates the following registry entry so as to auto-start on computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsnMsgr = %WINDOWS%\MsnMsgrs.exe -alev
W32/Netsky-AD searches all mapped drives for files with the following extensions in order to find email adresses:
SCS, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML
The worm will also attempt to copy itself to folders containing the words 'share' and 'sharing' on local drives using the following filenames:
vota!.zip.scr
aninha gatinha!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
comoserrico!.zip.scr
vida!!.zip.scr
receitas de bolo!!.zip.scr
celulares!!.zip.scr
clica ai logo meu.scr
rede globo tv!.zip.scr
rocha.scr
paula!.scr
Carnaval em Salvador!!.zip.scr
vadias peladas!!.scr
cafe!!.zip.scr
traficoemSP!.scr
MulataDandoOcujpg.scr
multas.pif
caspa.scr
barrio.scr
ResidentEvil2.zip.scr
puteiros!!.scr
Canaval2004!.jpg.pif
VivaNaBaia!.scr
W32/Netsky-AD may arrive in an email with the following characteristics
Subject line: (randomly chosen from)
:)
morto
Sua saude esta bem?
pescaria por kilo
massas!
impressao!!
robos!
diga
agradou
Message text: (randomly chosen from)
me veja peladinha
gostaria disso e voce???
algo a mais
falea verdade!!!
ganhe muita grana
campanhadafome
pq nao me liga??
sinto voce!!
grana
Lembra?
amor me liga
Hackers do Brasil
Medical Labs Exames!!!
meu telefone liga
ferias nos E.U.A
Surto :(
Vacina contra o HIV!!
sua conta bancaria zerada
olha que isso!!!
parabens!
te amo!
Policia SP
Sua Conta!!
Boleto Pague
veja o que tem no zip e me liga
receitas de bolo!!
acrdito que em voce!!!
promocao de viajens de fim de ano
tudo sobre voce sabe
Proposta de emprego!!
estou doente veja!!!
me diz o queacha?
retorna logo isso!!
arquivo zipado PGP???
voce passou :D!!!
ve ai logo ta
AMA!
AmaVoce
Abra rapido isso!!!!
reza de sao tome!!!!.
veja detalhes!!!.
encontro voce!
preenche ai ta bom
PizzaVeneza!
Attached file: (one of the following randomly chosen names with a double file extension)
AninhaPutinha +55operado6992292246
vaca
tetas
war3!
AIDS!
grana
banco!
revista
lulao!
imposto
jogo!
loterias
vips!
missao
vadias!
email
flipe
botao
sampa!!
contas!!
zerado
:(
criancas!
brasil!
lantrocidade
aqui
docs
festa!!
LINUSTOR
bingos!
agua!
:D
sorteado!!
grana!!
dinheiro!!
carros!
voce
:-)
???
circular
The extension is a combination of TXT, DOC, RTF, HTM, PIF, COM, SCR and BAT.
The file inside the archive will have identical name but a different, usually double, executable file extension (e.g doc.exe).
When the file is extracted and opened the virus displays the message box "File Corrupted replace this!!".
|
