Name: W32/Netsky-B Also Known As: W32/Netsky.b@MM [McAfee], W32/Netsky.B.worm [Panda], WORM_NETSKY.B [Trend Micro], Moodown.B [F-Secure], I-Worm.Moodown.b [Kaspersky] Variants: W32.Netsky@mm Risk: High Type: Win32 worm Date: 18 February 2004 Description (from Sophos) W32/Netsky-B is a worm that spreads by email and Windows network shares. W32/Netsky-B copies itself into the Windows folder as services.exe. In order to run automatically when Windows starts up W32/Netsky-B creates the following registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ service= "C:\\WINDOWS\\services.exe -serv" W32/Netsky-B searches all mapped drives for files with the following extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML. W32/Netsky-B searches drives C: to Z: and attempts to copy itself into folders with names containing the string "share" or "sharing". The file names used by the worm for copying itself to shared folders are: angels.pif cool screensaver.scr dictionary.doc.exe dolly_buster.jpg.pif doom2.doc.pif e-book.archive.doc.exe e.book.doc.exe eminem - lick my pussy.mp3.pif hardcore porn.jpg.exe how to hack.doc.exe matrix.scr max payne 2.crack.exe nero.7.exe office_crack.exe photoshop 9 crack.exe porno.scr programming basics.doc.exe rfc compilation.doc.exe serial.txt.exe sex sex sex sex.doc.exe strippoker.exe virii.scr win longhorn.doc.exe winxp_crack.exe W32/Netsky-B may arrive in an email with the following characteristics: Subject line: randomly chosen from - unknown fake stolen information warning something for you read it immediately hello Message text: randomly chosen from - something is fool something is going wrong you are bad you try to steal you feel the same you earn money thats wrong why? take it easy reply do you? that's funny here, the cheats here, the introduction here, the serials from the chatter about me information about you something is going wrong! stuff about you? greetings see you here it is that is bad yes, really? i found this document about you your name is wrong i hope it is not true! kill the writer of this document! something about you! I have your password! you are a bad writer is that from you? i wait for a reply! is that your account? is that your name? is that true? here my hero read it immediately! here is the document. read the details. i'm waiting what does it mean? anything ok? Attached file: one of the following filenames with a double file extension - misc party disco part2 mail2 object ranking dinner release final location jokes friend website mails story found nomoney aboutyou shower topseller product swimmingpool bill note concert textfile posting stuff attachment details creditcard message ps msg talk document unknown fake stolen information warning something for you read it immediately hello The extension is combination of DOC, RTF, HTM, PIF, COM, SCR and EXE. W32/Netsky-B may also send a ZIP file. The email address of the sender will be spoofed. When the attachment is opened W32/Netsky-B may display a fake message box "The file could not be opened". W32/Netsky-B attempts to remove registry entries related to few recent viruses, including W32/MyDoom-A and W32/MyDoom-B. Download the IDE file from: http://www.sophos.com/downloads/ide/netsky-b.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html _____________________________________________ More information about W32/Netsky-B can be found at: CERT; http://www.cert.org/incident_notes/IN-2004-02.html Computer Associates; http://www3.ca.com/virusinfo/virus.aspx?ID=38332 Kaspersky: http://www.viruslist.com/eng/alert.html?id=983343 Panda: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=44 815 Sorphos: http://www.sophos.com/virusinfo/analyses/w32netskyb.html Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@xxxxxxx W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. This worm also searches drives C through Z for folder names containing "Share" or "Sharing," and then copies itself to those folders. Symantec Security Response has developed a removal tool to clean the infections of W32.Netsky.B@mm. http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@xxxxxxxx al.tool.html Trend; http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B For worm removal instructions; http://www3.telus.net/mikebike/worm_removal.htm For worm removal instructions; http://www3.telus.net/mikebike/worm_removal.htm --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> See my Anti-Virus pages http://virusinfo.hackfix.org/index A Technical Support Alliance and OWTA Charter Member For a web-based membership management utility and information on list policies, please see http://nibec.com/24hoursupport/ To unsubscribe, send a blank email to 24hoursupport-request@xxxxxxxxxxxxx with "unsubscribe" (without quotes) in the subject.