high
Summary
Summary
Action- More Information
| Included in our products from | April 2004 (3.80) |
|---|---|
| Protection available since | 1 March 2004 17:18:10 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing W32/Netsky-E.
More Information
W32/Netsky-E is a worm which spreads by emailing itself to addresses found within files located on drives C: to Z:.
The email subject line, message text and attachment filename are randomly chosen from internal lists.
The name of the attached file is chosen from:
"associal", "msg", "yours", "doc", "wife", "talk", "message", "response",
"creditcard", "description", "details", "attachment", "pic", "me", "trash",
"card", "stuff", "poster", "posting", "portmoney", "textfile", "moonlight",
"concert", "sexy", "information", "news", "note", "number_phone", "bill",
"mydate", "swimmingpool", "class_photos", "product", "old_photos", "topseller",
"ps", "important", "shower", "myaunt", "aboutyou", "yours", "nomoney", "birth",
"found", "death", "story", "worker", "mails", "letter", "more", "website",
"regards", "regid", "friend", "unfolds", "jokes", "doc_ang", "your_stuff",
"location", "454543403", "final", "schock", "release", "webcam", "dinner",
"intimate stuff", "sexual", "ranking", "object", "secrets", "mail2", "attach2",
"part2", "msg2", "disco", "freaky", "visa", "party", "material", "misc",
"nothing", "transfer", "auction", "warez", "undefinied", "violence", "update",
"masturbation", "injection", "naked1", "naked2", "tear", "music", "paypal",
"id", "privacy", "word_doc", "image" or "incest".
The attachment extension will be ZIP, COM, EXE, PIF, SCR, BAT or CMD and may be preceded by an extension of TXT, RTF, DOC, HTM, JPG or GIF.
When first run the worm copies itself to the Windows folder as winlogon.exe and creates the following registry entry, so that winlogon.exe is run automatically each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
=<Windows folder>\winlogon.exe -stealth
W32/Netsky-E attempts to delete the following registry entries if they exist:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsrv32
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\D3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows services host
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKLM\System\CurrentControlSet\Services\WksPatch
HKCR\CLSID\(E6FB5E20-DE35-11CF-9C87-00AA005127ED)\InProcServer32
When the worm is run on the 2nd of March 2004 between 06:00 and 09:00, it may cause the computer to beep sporadically.
W32/Netsky-E contains the following text hidden inside its code, which is not displayed:
be aware! Skynet.cz - -->AntiHacker Crew<--
|
