[virusinfo] W32/Netsky-AD
- From: "Mike" <mikebike@xxxxxxxxx>
- To: virusinfo@xxxxxxxxxxxxx
- Date: Tue, 22 Mar 2005 08:53:52 -0800
From; Sophos Alert System:
Name: W32/Netsky-AD
Type: Win32 worm
Date: 22 March 2005
A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the April 2005 (3.92) release of Sophos Anti-Virus.
Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.
At the time of writing, Sophos has received a small number of
reports of this worm from the wild.
Note: Sophos has been detecting W32/Netsky-AD since 04:04 GMT on
14 October 2004 and has issued this updated IDE to improve
detection.
Information about W32/Netsky-AD can be found at:
http://www.sophos.com/virusinfo/analyses/w32netskyad.html
W32/Netsky-AD is a worm that spreads by email and Windows network shares.
When run the worm copies itself to the Windows folder as MsnMsgrs.exe and
creates the following registry entry so as to auto-start on computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
MsnMsgr = %WINDOWS%\MsnMsgrs.exe -alev
W32/Netsky-AD searches all mapped drives for files with the following
extensions in order to find email adresses:
SCS, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP,
TXT and EML
The worm will also attempt to copy itself to folders containing the words
'share' and 'sharing' on local drives using the following filenames:
vota!.zip.scr
aninha gatinha!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
comoserrico!.zip.scr
vida!!.zip.scr
receitas de bolo!!.zip.scr
celulares!!.zip.scr
clica ai logo meu.scr
rede globo tv!.zip.scr
rocha.scr
paula!.scr
Carnaval em Salvador!!.zip.scr
vadias peladas!!.scr
cafe!!.zip.scr
traficoemSP!.scr
MulataDandoOcujpg.scr
multas.pif
caspa.scr
barrio.scr
ResidentEvil2.zip.scr
puteiros!!.scr
Canaval2004!.jpg.pif
VivaNaBaia!.scr
W32/Netsky-AD may arrive in an email with the following characteristics
Subject line: (randomly chosen from)
:)
morto
Sua saude esta bem?
pescaria por kilo
massas!
impressao!!
robos!
diga
agradou
Message text: (randomly chosen from)
me veja peladinha
gostaria disso e voce???
algo a mais
falea verdade!!!
ganhe muita grana
campanhadafome
pq nao me liga??
sinto voce!!
grana
Lembra?
amor me liga
Hackers do Brasil
Medical Labs Exames!!!
meu telefone liga
ferias nos E.U.A
Surto :(
Vacina contra o HIV!!
sua conta bancaria zerada
olha que isso!!!
parabens!
te amo!
Policia SP
Sua Conta!!
Boleto Pague
veja o que tem no zip e me liga
receitas de bolo!!
acrdito que em voce!!!
promocao de viajens de fim de ano
tudo sobre voce sabe
Proposta de emprego!!
estou doente veja!!!
me diz o queacha?
retorna logo isso!!
arquivo zipado PGP???
voce passou :D!!!
ve ai logo ta
AMA!
AmaVoce
Abra rapido isso!!!!
reza de sao tome!!!!.
veja detalhes!!!.
encontro voce!
preenche ai ta bom
PizzaVeneza!
Attached file: (one of the following randomly chosen names with a double file
extension)
AninhaPutinha +55operado6992292246
vaca
tetas
war3!
AIDS!
grana
banco!
revista
lulao!
imposto
jogo!
loterias
vips!
missao
vadias!
email
flipe
botao
sampa!!
contas!!
zerado
:(
criancas!
brasil!
lantrocidade
aqui
docs
festa!!
LINUSTOR
bingos!
agua!
:D
sorteado!!
grana!!
dinheiro!!
carros!
voce
:-)
???
circular
The extension is a combination of TXT, DOC, RTF, HTM, PIF, COM, SCR and BAT.
The file inside the archive will have identical name but a different, usually
double, executable file extension (e.g doc.exe).
When the file is extracted and opened the virus displays the message box "File
Corrupted replace this!!".
Download the IDE file from:
http://www.sophos.com/downloads/ide/netskyad.ide
Download all the IDE files available for the current version of
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:
Zip file:
http://www.sophos.com/downloads/ide/ides.zip
Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
*********** MIKE"S REPLY SEPARATOR ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance and OWTA Charter Member
Other related posts:
