From; Sophos Alert System: Name: W32/Netsky-AA Aliases: W32/Netsky.aa@MM virus, INFECTED I-Worm.NetSky.ab Type: Win32 worm Date: 27 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received no reports from users affected by this worm. However, we have issued this advisory following enquiries to our support department from customers. Information about W32/Netsky-AA can be found at: http://www.sophos.com/virusinfo/analyses/w32netskyaa.html Description W32/Netsky-AA is a mass mailing worm. When started the worm copies itself to the Windows folder using the name winlogon.scr and sets the following registry entry to auto start on user logon: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SkynetsRevenge = <WINDOWS>\winlogon.scr W32/Netsky-AA will harvest email addresses from files on any fixed drives with the following extensions: EML TXT PHP CFG MBX MDX ASP WAB DOC VBS RTF UIN SHTM CGI DHTM ADB TBB DBX PL HTM HTML SHT OFT MSG ODS STM XLS JSP WSH XML MHT MMF NCH PPT The subject lines and message texts are constructed randomly from the following building blocks: Subject Lines: Re: Document Re: Approved Re: Text Re: Thank you! Re: Details Re: Photos Re: Private Re: Information Re: Hi Re: Hello Re: Summary Re: Step by Step Re: Music Re: Application Re: Tel. Numbers Re: List Re: Text file Re: Paint file Re: Contacts Re: e-Books Re: Bill Re: Error Re: Missed Re: Letter Re: Product Re: Website Re: Movie Re: Presentation Re: Advice Re: Fax number Re: Cheaper Re: War Re: Demo Re: Final Re: Poster Re: Patch Re: Pricelist Re: Job Message Texts: For furher details see the attached file. Your file is attached. Please read the attached file. Please have a look at the attached file. Please take the attached file. See the attached file for details. Please view the attached file. Here is the file. Your document is attached. Attachment names: Your_Job.pif Your_Pricelist.pif Your_Patch.pif Your_Poster.pif Your_Final_Document.pif Your_Demo.pif Osam_Bin_Laden_Articel_42.pif Your_Product_List.pif My_Fax_Numbers.pif My_Advice.pif Your_Presentation.pif Your_Movie.pif Your_Website.pif Your_Product.pif Your_Letter.pif Your_Excel_Document.pif Your_Error.pif Your_Bill.pif Your_E-Books.pif Your_Contacts.pif Your_Paint_File.pif Your_Text_File.pif Your_List.pif My_Telephone_Numbers.pif Your_Software.pif Your_Music.pif Your_Description.pif Your_Summary.pif Your_Digicam_Pictures.pif Your_Information.pif Your_Private_Document.pif Your_Pics.pif Your_Details.pif Your_Document_Part3.pif Your_Text.pif Your_Document.pif Recovery Please follow the instructions for removing worms. Windows NT/2000/XP/2003 In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ SkynetsRevenge = <WINDOWS>\winlogon.scr and delete it if it exists. Close the registry editor. Download the IDE file from: http://www.sophos.com/downloads/ide/netskyaa.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member