[virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-Y

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 20 Apr 2004 09:39:43 -0700

From; Sophos Alert System:

Name: W32/Netsky-Y
Aliases: I-Worm.NetSky.y, Win32.HLLM.Netsky.based, W32/Netsky.gen@MM
Type: Win32 worm
Date: 20 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Enterprise Manager and PureMessage customers will be
automatically protected at their next scheduled update.

Sophos has received several reports of this worm from the wild.


Information about W32/Netsky-Y can be found at:
http://www.sophos.com/virusinfo/analyses/w32netskyy.html
Description 
W32/Netsky-Y is a mass mailing worm with a backdoor component. 
The worm copies itself to the Windows folder using the name FirewallSvr.exe,
creates a file called fuck_you_bagle.txt (a base64 encoded form of the worm)
and sets the following registry entry to autostart on user login: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr=3D C:\<WindowsFolder>\FirewallSvr.exe 

W32/Netsky-Y has a backdoor component listening for connections on TCP port
1549 allowing an unauthorised program to download and execute arbitrary code
on the infected computer. 

The worm harvests email addresses from files on the local drives with the
following extensions: 

adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx,
mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt,
uin, vbs, wab, wsh, xls, xml. 

Generated emails typically have the following form: 

Subject lines: 

Re: document
Re: dokument
Re: documento
Re: original
Re: documentet
Re: udokumentowac
Re: dokumentoida
Re: dokumenten
Re: belge 

Message texts: 

Please read the document.
Bitte lesen Sie das Dokument.
Veuillez lire le document.
Legga prego il documento.
Leia por favor o original.
Behage lese dokumentet.
Podobac sie przeczytac ten udokumentowac.
Haluta kuulua dokumentoida.
Behaga l=F5sa dokumenten.
Mutlu etmek okumak belgili tanimlik belge 

Attached file: 

<name>.<country code>.pif 

where name may be nothing or chosen from: 

document
dokument
documento
original
dokumentet
udokumentowac
dokumentoida
dokumenten
belge 

and the country code is chosen from: 

xx, de, fr, it, pt, no, pl, fi, se, tc. 

W32/Netsky-Y sends DNS queries for the following servers: 

"212.185.252.73"
"212.185.252.73"
"212.185.253.70"
"212.185.252.136"
"194.25.2.129"
"194.25.2.130"
"195.20.224.234"
"217.5.97.137"
"194.25.2.129"
"193.193.144.12"
"212.7.128.162"
"212.7.128.165"
"193.193.158.10"
"194.25.2.131"
"194.25.2.132"
"194.25.2.133"
"194.25.2.134"
"193.141.40.42"
"145.253.2.171"
"193.189.244.205"
"213.191.74.19"
"151.189.13.35"
"195.185.185.195"
"195.185.185.195"
"212.44.160.8" 

Between 27th and 31st April 2004 the worm will continuously request web
pages from the following sites: 

"www.nibis.de"
"www.medinfo.ufl.edu"
"www.educa.ch" 
 
 
Recovery 
Please follow the instructions for removing worms.

Windows NT/2000/XP/2003 

In Windows NT/2000/XP/2003 you will also need to edit the following registry
entry. The removal of this entry is optional in Windows 95/98/Me. Please
read the warning about editing the registry. 

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The
registry editor opens. 

Before you edit the registry, you should make a backup. On the 'Registry'
menu, click 'Export Registry File'. In the 'Export range' panel, click
'All', then save your registry as Backup. 

Locate the HKEY_LOCAL_MACHINE entry: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
FirewallSvr=3D C:\<WindowsFolder>\FirewallSvr.exe 

and delete it if it exists. 

Close the registry editor. 
 

Download the IDE file from:
http://www.sophos.com/downloads/ide/netsky-y.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-Y

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---