[virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-AA

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: virusinfo@xxxxxxxxxxxxx
  • Date: Tue, 27 Apr 2004 09:02:28 -0700


From; Sophos Alert System:

Name: W32/Netsky-AA
Aliases: W32/Netsky.aa@MM virus, INFECTED I-Worm.NetSky.ab
Type: Win32 worm
Date: 27 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Customers using Enterprise Manager, PureMessage and any 
of the Sophos small business solutions will be automatically
protected at their next scheduled update.


At the time of writing, Sophos has received no reports from
users affected by this worm. However, we have issued this
advisory following enquiries to our support department from
customers.


Information about W32/Netsky-AA can be found at:
http://www.sophos.com/virusinfo/analyses/w32netskyaa.html
Description 
W32/Netsky-AA is a mass mailing worm. When started the worm copies itself to
the Windows folder using the name winlogon.scr and sets the following
registry entry to auto start on user logon: 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SkynetsRevenge = <WINDOWS>\winlogon.scr 

W32/Netsky-AA will harvest email addresses from files on any fixed drives
with the following extensions: 

EML TXT PHP CFG MBX MDX ASP WAB DOC VBS RTF UIN SHTM CGI DHTM ADB TBB DBX PL
HTM HTML SHT OFT MSG ODS STM XLS JSP WSH XML MHT MMF NCH PPT 

The subject lines and message texts are constructed randomly from the
following building blocks: 

Subject Lines: 

Re: Document
Re: Approved
Re: Text
Re: Thank you!
Re: Details
Re: Photos
Re: Private
Re: Information
Re: Hi
Re: Hello
Re: Summary
Re: Step by Step
Re: Music
Re: Application
Re: Tel. Numbers
Re: List
Re: Text file
Re: Paint file
Re: Contacts
Re: e-Books
Re: Bill
Re: Error
Re: Missed
Re: Letter
Re: Product
Re: Website
Re: Movie
Re: Presentation
Re: Advice
Re: Fax number
Re: Cheaper
Re: War
Re: Demo
Re: Final
Re: Poster
Re: Patch
Re: Pricelist
Re: Job 

Message Texts: 

For furher details see the attached file.
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
Please take the attached file.
See the attached file for details.
Please view the attached file.
Here is the file.
Your document is attached. 

Attachment names: 

Your_Job.pif
Your_Pricelist.pif
Your_Patch.pif
Your_Poster.pif
Your_Final_Document.pif
Your_Demo.pif
Osam_Bin_Laden_Articel_42.pif
Your_Product_List.pif
My_Fax_Numbers.pif
My_Advice.pif
Your_Presentation.pif
Your_Movie.pif
Your_Website.pif
Your_Product.pif
Your_Letter.pif
Your_Excel_Document.pif
Your_Error.pif
Your_Bill.pif
Your_E-Books.pif
Your_Contacts.pif
Your_Paint_File.pif
Your_Text_File.pif
Your_List.pif
My_Telephone_Numbers.pif
Your_Software.pif
Your_Music.pif
Your_Description.pif
Your_Summary.pif
Your_Digicam_Pictures.pif
Your_Information.pif
Your_Private_Document.pif
Your_Pics.pif
Your_Details.pif
Your_Document_Part3.pif
Your_Text.pif
Your_Document.pif 
 
 
Recovery 
Please follow the instructions for removing worms.

Windows NT/2000/XP/2003 

In Windows NT/2000/XP/2003 you will also need to edit the following registry
entry. The removal of this entry is optional in Windows 95/98/Me. Please
read the warning about editing the registry. 

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
registry editor opens. 

Before you edit the registry, you should make a backup. On the 'Registry'
menu, click 'Export Registry File'. In the 'Export range' panel, click
'All', then save your registry as Backup. 

Locate the HKEY_LOCAL_MACHINE entry: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
SkynetsRevenge = <WINDOWS>\winlogon.scr 

and delete it if it exists. 

Close the registry editor. 
  

Download the IDE file from:
http://www.sophos.com/downloads/ide/netskyaa.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member

Other related posts:

  • » [virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-AA
  1. Home
  2. virusinfo
  3. Archive
  4. 04-2004