From; Sophos Alert System: Name: W32/Netsky-AD Type: Win32 worm Date: 22 March 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the April 2005 (3.92) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Note: Sophos has been detecting W32/Netsky-AD since 04:04 GMT on 14 October 2004 and has issued this updated IDE to improve detection. Information about W32/Netsky-AD can be found at: http://www.sophos.com/virusinfo/analyses/w32netskyad.html W32/Netsky-AD is a worm that spreads by email and Windows network shares. When run the worm copies itself to the Windows folder as MsnMsgrs.exe and creates the following registry entry so as to auto-start on computer reboot: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MsnMsgr = %WINDOWS%\MsnMsgrs.exe -alev W32/Netsky-AD searches all mapped drives for files with the following extensions in order to find email adresses: SCS, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML The worm will also attempt to copy itself to folders containing the words 'share' and 'sharing' on local drives using the following filenames: vota!.zip.scr aninha gatinha!.zip.scr importante!!!!!.zip.scr minhavida!.zip.exe comoserrico!.zip.scr vida!!.zip.scr receitas de bolo!!.zip.scr celulares!!.zip.scr clica ai logo meu.scr rede globo tv!.zip.scr rocha.scr paula!.scr Carnaval em Salvador!!.zip.scr vadias peladas!!.scr cafe!!.zip.scr traficoemSP!.scr MulataDandoOcujpg.scr multas.pif caspa.scr barrio.scr ResidentEvil2.zip.scr puteiros!!.scr Canaval2004!.jpg.pif VivaNaBaia!.scr W32/Netsky-AD may arrive in an email with the following characteristics Subject line: (randomly chosen from) :) morto Sua saude esta bem? pescaria por kilo massas! impressao!! robos! diga agradou Message text: (randomly chosen from) me veja peladinha gostaria disso e voce??? algo a mais falea verdade!!! ganhe muita grana campanhadafome pq nao me liga?? sinto voce!! grana Lembra? amor me liga Hackers do Brasil Medical Labs Exames!!! meu telefone liga ferias nos E.U.A Surto :( Vacina contra o HIV!! sua conta bancaria zerada olha que isso!!! parabens! te amo! Policia SP Sua Conta!! Boleto Pague veja o que tem no zip e me liga receitas de bolo!! acrdito que em voce!!! promocao de viajens de fim de ano tudo sobre voce sabe Proposta de emprego!! estou doente veja!!! me diz o queacha? retorna logo isso!! arquivo zipado PGP??? voce passou :D!!! ve ai logo ta AMA! AmaVoce Abra rapido isso!!!! reza de sao tome!!!!. veja detalhes!!!. encontro voce! preenche ai ta bom PizzaVeneza! Attached file: (one of the following randomly chosen names with a double file extension) AninhaPutinha +55operado6992292246 vaca tetas war3! AIDS! grana banco! revista lulao! imposto jogo! loterias vips! missao vadias! email flipe botao sampa!! contas!! zerado :( criancas! brasil! lantrocidade aqui docs festa!! LINUSTOR bingos! agua! :D sorteado!! grana!! dinheiro!! carros! voce :-) ??? circular The extension is a combination of TXT, DOC, RTF, HTM, PIF, COM, SCR and BAT. The file inside the archive will have identical name but a different, usually double, executable file extension (e.g doc.exe). When the file is extracted and opened the virus displays the message box "File Corrupted replace this!!". Download the IDE file from: http://www.sophos.com/downloads/ide/netskyad.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member