From; Trend Micro Newsletters: As of April 28, 2004 1:20 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_NETSKY.AB. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Taiwan and Korea. There are also infections in Europe, particularly in France. This NETSKY variant propagates via email. To spread, it sends copies of itself via SMTP (Simple Mail Transfer Protocol). It harvests email addresses from files located in local drives C to Z, and with particular extension names. This malware also deletes Windows registry entries created by the BAGLE worm. TrendLabs will be releasing the following EPS deliverables: TMCM Outbreak Prevention Policy 108 Official Pattern Release 873 Damage Cleanup Template 327 For more information on WORM_NETSKY.AB, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_NETSKY .AB ** From the web site; Description: As of April 28, 2004 1:20 AM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_NETSKY.AB. TrendLabs has received several infection reports indicating that this malware is spreading in Japan, Taiwan and Korea. There are also infections in Europe, particularly in France. This NETSKY variant propagates via email. To spread, it sends copies of itself via SMTP (Simple Mail Transfer Protocol). It harvests email addresses from files located in drives C to Z (including fixed, remote and removable drives, but excluding the CD ROM drive), and with particular extension names. This worm also avoids email addresses containing certain substrings. The details of the email this worm sends out is as follows: From: <Spoofed> This value is taken from the list of harvested email addresses. Subject: (any of the following) =95 Correction =95 Criminal =95 Found =95 Funny =95 Hurts =95 Letter =95 Letter =95 Money =95 More samples =95 Numbers =95 Only love? =95 Password =95 Picture =95 Pictures =95 Privacy =95 Question =95 Stolen =95 Text =95 Wow Message body: (any of the following) =95 Are your numbers correct? =95 Do you have asked me? =95 Do you have more photos about you? =95 Do you have more samples? =95 Do you have no money? =95 Do you have written the letter? =95 Does it hurt you? =95 Hey, are you criminal? =95 How can I help you? =95 I've found your creditcard. Check the data! =95 I've your password. Take it easy! =95 Please do not sent me your illegal stuff again!!! =95 Please use the font arial! =95 Still? =95 The text you sent to me is not so good! =95 True love letter? =95 Why do you show your body? =95 Wow! Why are you so shy? =95 You have no chance... =95 Your pictures are good! Attachment: (any of the following) =95 abuses.pif =95 all_pictures.pif =95 corrected_doc.pif =95 document1.pif =95 hurts.pif =95 image034.pif =95 loveletter02.pif =95 my_stolen_document.pif =95 myabuselist.pif =95 passwords02.pif =95 pin_tel.pif =95 visa_data.pif =95 your_bill.pif =95 your_letter.pif =95 your_letter_03.pif =95 your_picture.pif =95 your_picture01.pif =95 your_text.pif =95 your_text01.pif This worm may also use the email address xdfggra@xxxxxxxxx to spoof the "FROM:" field of the malware email messages. The following are sreenshots of sample email messages sent by this worm: It also deletes entries created by the BAGLE worm. It runs on Windows 95, 98, ME, NT, 2000 and XP. Solution: AUTOMATIC REMOVAL INSTRUCTIONS To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Services. MANUAL REMOVAL INSTRUCTIONS Cleaning Instructions for Windows 2000/XP Restarting in Safe Mode On Windows XP Restart your computer. Press the F8 key when prompted. If Windows XP Professional starts without the =93Press select operating system to start=94 menu, restart your computer. Press F8 after the Power-On Self Test (POST) is done. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter. On Windows 2000 Restart your computer. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen. Choose the Safe Mode option from the Windows 2000 Advanced Options Menu then press Enter. Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing at startup. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries: BagleAV =3D %Windows%\CSRSS.EXE Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT. Close Registry Editor. Additional Windows XP Cleaning Instructions Running Trend Micro Antivirus Trend Micro customers must download the latest pattern file and scan their system. Then, delete all files detected as WORM_NETSKY.AB. Other Internet users can use HouseCall, Trend Micro=92s free online virus scanner. Cleaning Instructions for Windows 95/98/ME/NT Identifying the Malware Program Before proceeding to remove this malware, first identify the malware program. Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_NETSKY.AB. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner. Terminating the Malware Program This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier. Open Windows Task Manager. On Windows 9x/ME systems, press CTRL+ALT+DELETE On Windows NT, press CTRL+SHIFT+ESC, and click the Processes tab. In the list of running programs, locate the malware file or files detected earlier. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system. Do the same for all detected malware files in the list of running processes. To check if the malware process has been terminated, close Task Manager, and then open it again. Close Task Manager. ----------------------------------------------------------------------------- --- *NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not show certain processes. You may use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. ----------------------------------------------------------------------------- --- Removing Autostart Entries from the Registry Removing autostart entries from the registry prevents the malware from executing at startup. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter. In the left panel, double-click the following: HKEY_LOCAL_MACHINE>Software>Microsoft> Windows>CurrentVersion>Run In the right panel, locate and delete the entry or entries: BagleAV =3D %Windows%\CSRSS.EXE Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT. Close Registry Editor. ----------------------------------------------------------------------------- --- NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system. ----------------------------------------------------------------------------- --- Additional Windows ME Cleaning Instructions Running Trend Micro Antivirus Trend Micro customers must download the latest pattern file and scan their system. Then, delete all files detected as WORM_NETSKY.AB. Other Internet users can use HouseCall, Trend Micro=92s free online virus scanner. Important: Users of Trend Micro PC-cillin Internet Security and Network VirusWall should check if their products have updated to CFW/NVP pattern 10122 or later. For product-specific solutions, please refer to Solution 19707 of Trend Micro's Knowledge Base. Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business or home PC.