[virusinfo] Trend Micro MEDIUM Risk Virus Alert - WORM_NETSKY.AB
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Wed, 28 Apr 2004 17:41:20 -0700
From; Trend Micro Newsletters:
As of April 28, 2004 1:20 AM PST, TrendLabs has declared a Medium Risk
Virus Alert to control the spread of WORM_NETSKY.AB. TrendLabs has received
several infection reports indicating that this malware is spreading in
Japan, Taiwan and Korea. There are also infections in Europe, particularly
in France.
This NETSKY variant propagates via email. To spread, it sends copies of
itself via SMTP (Simple Mail Transfer Protocol). It harvests email
addresses from files located in local drives C to Z, and with particular
extension names.
This malware also deletes Windows registry entries created by the BAGLE
worm.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 108
Official Pattern Release 873
Damage Cleanup Template 327
For more information on WORM_NETSKY.AB, you can visit our Web site at:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_NETSKY
.AB
** From the web site;
Description:
As of April 28, 2004 1:20 AM PST, TrendLabs has declared a Medium Risk Virus
Alert to control the spread of WORM_NETSKY.AB. TrendLabs has received
several infection reports indicating that this malware is spreading in
Japan, Taiwan and Korea. There are also infections in Europe, particularly
in France. This NETSKY variant propagates via email.
To spread, it sends copies of itself via SMTP (Simple Mail Transfer
Protocol). It harvests email addresses from files located in drives C to Z
(including fixed, remote and removable drives, but excluding the CD ROM
drive), and with particular extension names. This worm also avoids email
addresses containing certain substrings.
The details of the email this worm sends out is as follows:
From: <Spoofed>
This value is taken from the list of harvested email addresses.
Subject: (any of the following)
=95 Correction
=95 Criminal
=95 Found
=95 Funny
=95 Hurts
=95 Letter
=95 Letter
=95 Money
=95 More samples
=95 Numbers
=95 Only love?
=95 Password
=95 Picture
=95 Pictures
=95 Privacy
=95 Question
=95 Stolen
=95 Text
=95 Wow
Message body: (any of the following)
=95 Are your numbers correct?
=95 Do you have asked me?
=95 Do you have more photos about you?
=95 Do you have more samples?
=95 Do you have no money?
=95 Do you have written the letter?
=95 Does it hurt you?
=95 Hey, are you criminal?
=95 How can I help you?
=95 I've found your creditcard. Check the data!
=95 I've your password. Take it easy!
=95 Please do not sent me your illegal stuff again!!!
=95 Please use the font arial!
=95 Still?
=95 The text you sent to me is not so good!
=95 True love letter?
=95 Why do you show your body?
=95 Wow! Why are you so shy?
=95 You have no chance...
=95 Your pictures are good!
Attachment: (any of the following)
=95 abuses.pif
=95 all_pictures.pif
=95 corrected_doc.pif
=95 document1.pif
=95 hurts.pif
=95 image034.pif
=95 loveletter02.pif
=95 my_stolen_document.pif
=95 myabuselist.pif
=95 passwords02.pif
=95 pin_tel.pif
=95 visa_data.pif
=95 your_bill.pif
=95 your_letter.pif
=95 your_letter_03.pif
=95 your_picture.pif
=95 your_picture01.pif
=95 your_text.pif
=95 your_text01.pif
This worm may also use the email address xdfggra@xxxxxxxxx to spoof the
"FROM:" field of the malware email messages.
The following are sreenshots of sample email messages sent by this worm:
It also deletes entries created by the BAGLE worm.
It runs on Windows 95, 98, ME, NT, 2000 and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please refer to the
Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Cleaning Instructions for Windows 2000/XP
Restarting in Safe Mode
On Windows XP
Restart your computer.
Press the F8 key when prompted.
If Windows XP Professional starts without the =93Press select operating
system to start=94 menu, restart your computer.
Press F8 after the Power-On Self Test (POST) is done.
Choose the Safe Mode option from the Windows Advanced Options Menu then
press Enter.
On Windows 2000
Restart your computer.
Press the F8 key, when you see the Starting Windows bar at the bottom of the
screen.
Choose the Safe Mode option from the Windows 2000 Advanced Options Menu then
press Enter.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing at startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
BagleAV =3D %Windows%\CSRSS.EXE
Note: %Windows% is the default Windows folder, usually C:\Windows or
C:\WINNT.
Close Registry Editor.
Additional Windows XP Cleaning Instructions
Running Trend Micro Antivirus
Trend Micro customers must download the latest pattern file and scan their
system. Then, delete all files detected as WORM_NETSKY.AB. Other Internet
users can use HouseCall, Trend Micro=92s free online virus scanner.
Cleaning Instructions for Windows 95/98/ME/NT
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware
program.
Scan your system with Trend Micro antivirus and NOTE all files detected as
WORM_NETSKY.AB. To do this, Trend Micro customers must download the latest
pattern file and scan their system. Other Internet users can use HouseCall,
Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will
need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 9x/ME systems, press
CTRL+ALT+DELETE
On Windows NT, press
CTRL+SHIFT+ESC, and click the Processes tab.
In the list of running programs, locate the malware file or files detected
earlier.
Select one of the detected files, then press either the End Task or the End
Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and
then open it again.
Close Task Manager.
-----------------------------------------------------------------------------
---
*NOTE: On systems running Windows 95/98/ME, Windows Task Manager may not
show certain processes. You may use a third party process viewer such as
Process Explorer to terminate the malware process. Otherwise, continue with
the next procedure, noting additional instructions.
-----------------------------------------------------------------------------
---
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from
executing at startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press
Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
BagleAV =3D %Windows%\CSRSS.EXE
Note: %Windows% is the default Windows folder, usually C:\Windows or
C:\WINNT.
Close Registry Editor.
-----------------------------------------------------------------------------
---
NOTE: If you were not able to terminate the malware process as described in
the previous procedure, restart your system.
-----------------------------------------------------------------------------
---
Additional Windows ME Cleaning Instructions
Running Trend Micro Antivirus
Trend Micro customers must download the latest pattern file and scan their
system. Then, delete all files detected as WORM_NETSKY.AB. Other Internet
users can use HouseCall, Trend Micro=92s free online virus scanner.
Important: Users of Trend Micro PC-cillin Internet Security and Network
VirusWall should check if their products have updated to CFW/NVP pattern
10122 or later.
For product-specific solutions, please refer to Solution 19707 of Trend
Micro's Knowledge Base.
Trend Micro offers best-of-breed antivirus and content-security solutions
for your corporate network, small and medium business or home PC.
Other related posts:
- » [virusinfo] Trend Micro MEDIUM Risk Virus Alert - WORM_NETSKY.AB
