Win32.HLLM.Netsky.based
(Email-Worm.Win32.Mydoom.am, Email-Worm.Win32.NetSky.ae, Email-Worm.Win32.NetSky.c, Email-Worm.Win32.NetSky.gen, Email-Worm.Win32.NetSky.t, Email-Worm.Win32.NetSky.v, Generic!Morphine, W32.Netsky.C@mm, W32.Netsky.P@mm!enc, W32.Netsky.T@mm, W32.Netsky.U@mm, W32.Netsky.gen@mm, W32/Bugbear.17916intd, W32/Netsky.ad@MM, W32/Netsky.c@MM, W32/Netsky.gen@MM, W32/Netsky.t.eml!exe, W32/Netsky.u.eml!exe, WORM_NETSKY.C, WORM_NETSKY.U, Win32/Bagle.Variant!Worm, Win32/NetSky.T!Base64!Worm, Win32/Netsky.C!Worm)| Added to Dr.Web® virus database: | 2004-03-01 18:00:00 |
Virus Type:
Mass mailing worms.
Affected OS: Win95/98/Me/2000/XP
Size: can be 25 352 byte, 17 424 byte, 24 840 byte, 22 016 byte, 18 944 byte, 31 232 byte
Packed by: can be packed by PETITE, PEPACK, PCPEC, UPX, PECOMPACT
Technical Information
For providing unattended startup of its copies during each Windows reboot, various worm modifications can insert data
C:\Windows\winlogon.exe -stealth ,
C:\Windows\MsnMsgrs.exe -alev ,
C:\Windows\fooding.exe –antivirus
into HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ of registry.
Worm extracts addresses for email distribution out of files with the following extensions:
.dhtm
.cgi
.shtm
.msg
.oft
.sht
.dbx
.tbb
.adb
.doc
.wab
.asp
.uin
.rtf
.vbs
.html
.htm
.pl
.php
.txt
.eml
For spreading due file exchange networks worms copy themselves in general folders with the following filenames:
The Sims 3 crack.exe
Lightwave SE Update.exe
Ulead Keygen.exe
Smashing the stack.rtf.exe
IE58.1 full setup.exe
Opera.exe
DivX 7.0 final.exe
WinAmp 12 full.exe
Cracks & Warez Archive.exe
Visual Studio Net Crack.exe
ACDSee 9.exe
MS Service Pack 5.exe
Clone DVD 5.exe
Magix Video Deluxe 4.exe
Star Office 8.exe
Partitionsmagic 9.0.exe
Gimp 1.5 Full with Key.exe
Norton Antivirus 2004.exe
Windows Sourcecode.doc.exe
Keygen 4 all appz.exe
3D Studio Max 3dsmax.exe
1000 Sex and more.rtf.exe
RFC Basics Full Edition.doc.exe
Dictionary English - France.doc.exe
Win Longhorn Beta.exe
WinXP eBook.doc.exe
Learn Programming.doc.exe
How to hack.doc.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Virii Sourcecode.scr
Ahead Nero 7.exe
Full album.mp3.pif
Screensaver.scr
Serials.txt.exe
Microsoft Office 2003 Crack.exe
XXX hardcore pic.jpg.exe
Dark Angels.pif
Porno Screensaver.scr
Best Matrix Screensaver.scr
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Teen Porn 16.jpg.pif
Microsoft WinXP Crack.exe
Subjects of distributed messages are selected from the following list. Most often one can find messages notifying that user's email address is deactivated or closed and it's suggested to user to learn details:
Your mail account expired. Please follow the link to reactivate.
Your mail account has been closed. Click on the link for further details.
Your mail account has been deactivated. To reactivate, follow the link.
Mail account expired
Mail account closed
Mail account deactivated
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
me veja peladinha
gostaria disso e voce???
algo a mais falea verdade!!!
ganhe muita grana
campanhadafome
pq nao me liga??
sinto voce!!
grana
Lembra? amor me liga
Hackers do Brasil
Medical Labs Exames!!!
meu telefone liga
ferias nos E.U.A
Surto :(
Vacina contra o HIV!!
sua conta bancaria zerada
olha que isso!!!
parabens!
te amo!
Policia SP
Sua Conta!!
Boleto Pague
veja o que tem no zip e me liga receitas de bolo!!
acrdito que em voce!!!
promocao de viajens de fim de ano
tudo sobre voce sabe
Proposta de emprego!!
estou doente veja!!!
me diz o queacha?
retorna logo isso!!
arquivo zipado PGP???
voce passou
:D!!!
ve ai logo ta
AMA!
AmaVoce
Abra rapido isso!!!!
reza de sao tome!!!!.
veja detalhes!!!.
encontro voce!
preenche ai ta bom
PizzaVeneza!
vaca
tetas
war3!
AIDS!
grana
banco!
revista lulao!
imposto jogo!
loterias
vips!
missao
vadias!
email
flipe
botao
sampa!!
contas!!
zerado
:(
criancas!
brasil!
lantrocidade
aqui
docs
festa!!
LINUSTOR
bingos!
agua!
:D
sorteado!!
grana!!
dinheiro!!
carros!
voce
:-)
???
circular
agradou
diga
robos!
impressao!!
massas!
pescaria por kilo
Sua saude esta bem? morto :)
Worm copies, which are attached to message body, can be either with single or double extension. Examples:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
vota!.zip.scr
aninha gatinha!.zip.scr
importante!!!!!.zip.scr
minhavida!.zip.exe
comoserrico!.zip.scr
vida!!.zip.scr
receitas de bolo!!.zip.scr
celulares!!.zip.scr
clica ai logo meu.scr
rede globo tv!.zip.scr
rocha.scr
paula!.scr
Carnaval em Salvador!!.zip.scr
vadias peladas!!.scr
cafe!!.zip.scr
traficoemSP!.scr
MulataDandoOcujpg.scr
multas.pif
caspa.scr
barrio.scr
ResidentEvil2.zip.scr
puteiros!!.scr
Canaval2004!.jpg.pif
VivaNaBaia!.scr
Worms don’t perform spreading to the addresses, which contain following substring:
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
iruslis
andasoftwa
skynet
Delete all keys (and their data) which are listed below:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAV
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Services Host
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKLM\System\CurrentControlSet\Services\WksPatch
Can contain in their body IP-addresses of German, Swiss and Dutch sites, which are holding DoS-attacks.
Can contain text string of expressive nature, which are addressed to authors of email worms families - MyDoom and Beagle. For example:
Hey Bagle, feel our revenge!
MyDoom and Bagle are spammer
we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->->
System Recovery Information
1. Load Windows in Safe Mode.
2. Scan computer with Dr.Web® Scanner or freeware utility Dr.Web® CureIT!. It's necessary to apply action "Cure" to all infected files which were found.
3. Recover system registry from backup copy.
Important! Directly before doing of item 2, it's necessary to adjust the used email client so that it stored attachments as separate files, instead of in a body of email base. For example, storage of attachments separately from email base in email client TheBat! is adjusted as follows:
Account - Properties - Files & Directories - Keep attachment files - Separately in a special directory.
|
 |
My five cents
|
 |
| |
What is the screen size of your monitor?
|
 |
|
 |
|
 |
|
