From; Sophos Alert System: Name: W32/Netsky-P Aliases: Win32/Netsky.Q, WORM_NETSKY.P Type: Win32 worm Date: 1 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2004 (3.81) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. Sophos has received many reports of this worm from the wild. Note: Sophos has been detecting W32/Netsky-P since 02:29 GMT on 22 March 2004 and updated the IDE at 03:50 GMT on 30 March. This latest IDE has been issued to enhance detection. Information about W32/Netsky-P can be found at: http://www.sophos.com/virusinfo/analyses/w32netskyp.html Description NOTE: The information contained in this analysis may be considered offensive by some customers. W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives. The worm copies itself to the Windows folder as FVProtect.exe and adds the following registry entry to run itself whenever the user logs on to the computer: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = <Windows>\FVProtect.exe The worm will also copy itself to various peer-to-peer shared folders as the following files: 1001 Sex and more.rtf.exe 3D Studio Max 6 3dsmax.exe ACDSee 10.exe Adobe Photoshop 10 crack.exe Adobe Photoshop 10 full.exe Adobe Premiere 10.exe Ahead Nero 8.exe Altkins Diet.doc.exe American Idol.doc.exe Arnold Schwarzenegger.jpg.exe Best Matrix Screensaver new.scr Britney sex xxx.jpg.exe Britney Spears and Eminem porn.jpg.exe Britney Spears blowjob.jpg.exe Britney Spears cumshot.jpg.exe Britney Spears fuck.jpg.exe Britney Spears full album.mp3.exe Britney Spears porn.jpg.exe Britney Spears Sexy archive.doc.exe Britney Spears Song text archive.doc.exe Britney Spears.jpg.exe Britney Spears.mp3.exe Clone DVD 6.exe Cloning.doc.exe Cracks & Warez Archiv.exe Dark Angels new.pif Dictionary English 2004 - France.doc.exe DivX 8.0 final.exe Doom 3 release 2.exe E-Book Archive2.rtf.exe Eminem blowjob.jpg.exe Eminem full album.mp3.exe Eminem Poster.jpg.exe Eminem sex xxx.jpg.exe Eminem Sexy archive.doc.exe Eminem Song text archive.doc.exe Eminem Spears porn.jpg.exe Eminem.mp3.exe Full album all.mp3.pif Gimp 1.8 Full with Key.exe Harry Potter 1-6 book.txt.exe Harry Potter 5.mpg.exe Harry Potter all e.book.doc.exe Harry Potter e book.doc.exe Harry Potter game.exe Harry Potter.doc.exe How to hack new.doc.exe Internet Explorer 9 setup.exe Kazaa Lite 4.0 new.exe Kazaa new.exe Keygen 4 all new.exe Learn Programming 2004.doc.exe Lightwave 9 Update.exe Magix Video Deluxe 5 beta.exe Matrix.mpg.exe Microsoft Office 2003 Crack best.exe Microsoft WinXP Crack full.exe MS Service Pack 6.exe netsky source code.scr Norton Antivirus 2005 beta.exe Opera 11.exe Partitionsmagic 10 beta.exe Porno Screensaver britney.scr RFC compilation.doc.exe Ringtones.doc.exe Ringtones.mp3.exe Saddam Hussein.jpg.exe Screensaver2.scr Serials edition.txt.exe Smashing the stack full.rtf.exe Star Office 9.exe Teen Porn 15.jpg.pif The Sims 4 beta.exe Ulead Keygen 2004.exe Visual Studio Net Crack all.exe Win Longhorn re.exe WinAmp 13 full.exe Windows 2000 Sourcecode.doc.exe Windows 2003 crack.exe Windows XP crack.exe WinXP eBook newest.doc.exe XXX hardcore pics.jpg.exe W32/Netsky-P harvests email addresses from files with the following extensions: PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML. The worm has a trigger date of 24th of March 2004, at which time it will attempt to mass mail. Emails have the following characteristics (note that not all variations listed): Subject lines: constructed from the following groups of strings - Re: Re: Re: Encrypted Mail Re: Extended Mail Re: Status Re: Notify Re: SMTP Server Re: Mail Server Re: Delivery Server Re: Bad Request Re: Failure Re: Thank you for delivery Re: Test Re: Administration Re: Message Error Re: Error Re: Extended Mail System Re: Secure SMTP Message Re: Protected Mail Request Re: Protected Mail System Re: Protected Mail Delivery Re: Secure delivery Re: Delivery Protection Re: Mail Authentification Message texts: chosen from - Please confirm my request. ESMTP [Secure Mail System #334]: Secure message is attached. Partial message is available. Waiting for a Response. Please read the attachment. First part of the secure mail is available. For more details see the attachment. For further details see the attachment. Your requested mail has been attached. Protected Mail System Test. Secure Mail System Beta Test. Forwarded message is available. Delivered message is attached. Encrypted message is available. Please read the attachment to get the message. Follow the instructions to read the message. Please authenticate the secure message. Protected message is attached. Waiting for authentification. Protected message is available. Bad Gateway: The message has been attached. SMTP: Please confirm the attached message. You got a new message. Now a new message is available. New message is available. You have received an extended message. Please read the instructions. Attachment description: chosen from - Your details. Your document. I have received your document. The corrected document is attached. I have attached your document. Your document is attached to this mail. Authentication required. Requested file. See the file. Please read the important document. Please confirm the document. Your file is attached. Please read the document. Your document is attached. Please read the attached file! Please see the attached file for details. followed by - <attached filename>: +++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com +++ Attachment: No Virus found +++ Bitdefender AntiVirus - www.bitdefender.com +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com +++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com +++ Attachment: No Virus found +++ Panda AntiVirus - www.pandasoftware.com ++++ Attachment: No Virus found ++++ Norman AntiVirus - www.norman.com ++++ Attachment: No Virus found ++++ F-Secure AntiVirus - www.f-secure.com ++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.de Attached file: <filename>_ <recipient_name>.<extension> <filename> chosen from: document_all message excel document word document screensaver application website product letter information details document <extension> chosen from: EXE SCR PIF ZIP W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms. W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp. Download the IDE file from: http://www.sophos.com/downloads/ide/netsky-p.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member