From; Sophos Alert System: Name: W32/Netsky-AB Type: Win32 worm Date: 28 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Customers using Enterprise Manager, PureMessage and any of the Sophos small business solutions will be automatically protected at their next scheduled update. Information about W32/Netsky-AB can be found at: http://www.sophos.com/virusinfo/analyses/w32netskyab.html Description W32/Netsky-AB is a mass-mailing worm that uses its own SMTP engine to email itself to addresses harvested from files on local drives. In order to run automatically when the user logs on to the computer the worm copies itself to the file csrss.exe in the Windows folder and creates the following registry entry to point to it: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV The worm will delete registry entries under this key that point to files named drvsys.exe and ssgrate.exe. These are copies of files related to the Bagle family of worms that may have been dropped by previous infections. W32/Netsky-AB will gather information about infected systems in a log file called C:\Detlog.txt. Emails have the following characteristics: Subject lines chosen from: Correction Hurts Privacy Password Wow Criminal Pictures Text Money Stolen Found Numbers Funny Only love? More samples Picture Letter Question Message texts chosen from: Please use the font arial! How can I help you? Still? Ive your password. Take it easy! Why do you show your body? Hey, are you criminal? Your pictures are good! The text you sent to me is not so good! True love letter? Do you have no money? Do you have asked me? Ive found your creditcard. Check the data! Are your numbers correct? You have no chance... Wow! Why are you so shy? Do you have more samples? Do you have more photos about you? Do you have written the letter? Does it hurt you? Please do not sent me your illegal stuff again!!! Attached filename chosen from: corrected_doc.pif hurts.pif document1.pif passwords02.pif image034.pif myabuselist.pif your_picture01.pif your_text01.pif your_letter.pif your_bill.pif my_stolen_document.pif visa_data.pif pin_tel.pif your_text.pif loveletter02.pif all_pictures.pif your_letter_03.pif your_picture.pif abuses.pif W32/Netsky-AB will attempt to terminate antivirus-related processes whose filenames contain text taken from the following list: iruslis antivir sophos freeav andasoftwa skynet messagelabs aspersky itdefender f-secur ymantec antivi icrosoft W32/Netsky-AB will try to establish a connection with the following addresses: 212.7.128.162 212.7.128.165 193.193.158.10 194.25.2.131 194.25.2.132 194.25.2.133 194.25.2.134 62.155.255.16 212.185.252.73 212.185.253.70 212.185.252.136 194.25.2.129 194.25.2.130 195.20.224.234 217.5.97.137 194.25.1.129 193.193.144.12 193.141.40.42 145.253.2.171 193.189.244.205 213.191.74.19 151.189.13.35 195.185.185.195 212.44.160.8 W32/Netsky-AB harvests email addresses from files with the following extensions: ppt,nch,mmf,mht,xml,wsh,jsp,xls,stm,ods,msg,oft,sht,html,htm,pl,dbx,tbb,adb, dhtm,cgi,shtm,uin,rtf,vbs,doc,wab,asp,mdx,mbx,cfg,php,txt,eml W32/Netsky-AB contains the text 'Hey Bagle, feel our revenge!. Recovery Please follow the instructions for removing worms. Change any data that may have become compromised. Delete the file C:\Detlog.txt if it exists. Windows NT/2000/XP/2003 In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry. At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens. Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup. Locate the HKEY_LOCAL_MACHINE entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV and delete it if it exists. Close the registry editor. Download the IDE file from: http://www.sophos.com/downloads/ide/netskyab.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member