THE FIX IS HERE
Please download and scan your computer even If you do not think you are infected, many people are and never had a clue, many of us GFY members and other forum surfers.
Quote:
Name: Win32.Netsky.D@mm
Aliases: W32/Netsky.d@MM
Type: Mass Mailer
Size: 17424 bytes (packed)
Detected: 1. March 2004
In the wild: Yes
Symptoms
Presence of the following file in hahahahahahas directory (%WINDIR%)
winlogon.exe
Presence of the following entry in HKLM\\Software\\Microsoft\\hahahahahahas\\CurrentV ersion\\Run registry key:
ICQ Net = winlogon.exe -stealth
Technical description
This variant of the NetSky worm (.D) spreads only via e-mail (in contrast
with previous versions, which spread through some P2P applications as well),
sending itself to e-mail addresses found in the infected computer.
The worm arrives in the following e-mail format:
Subject - randomly chosen from the following strings:
Re: Re: hahahahahahahaha
Re: Re: Thanks!
Re: Thanks!
Re: Your hahahahahahahaha
Re: Here is the hahahahahahahaha
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your hahahahahahahaha
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website
Body - randomly chosen from the following strings:
Your hahahahahahahaha is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.
Attached filename (and extension) - randomly chosen from the following strings:
your_hahahahahahahaha.pif
your_hahahahahahahaha.pif
hahahahahahahaha.pif
message_part2.pif
your_hahahahahahahaha.pif
hahahahahahahaha_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
hahahahahahahaha_4351.pif
yours.pif
mp3music.pif
application.pif
all_hahahahahahahaha.pif
my_details.pif
hahahahahahahaha_excel.pif
hahahahahahahaha_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif
When the user double-clicks the e-mail attachment, the worm does the following:
- copies itself to hahahahahahas directory (%WINDIR%) as winlogon.exe;
- adds the following entry to HKLM\\Software\\Microsoft\\hahahahahahas\\CurrentV ersion\\Run
registry key:
ICQ net = winlogon.exe -stealth,
(so it will be hahahahahahahad each time hahahahahahas starts up);
- disables some antivirus software and other known worms (such as Win32.Mydoom.A@mm
and Win32.Mydoom.B@mm) by deleting relevant registry keys;
- scans the infected computers for e-mail addresses in files whose extension
is one of the following:
.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm
- creates and sends e-mails to these addresses with the above described format:
- On 01 mar. 2004, between 6:00 and 9:00 am (local time, not GMT) the worm
generates in the computers speaker sounds with random tones and durations.
This variant (.D) uses an improved routine for sending itself through
e-mail, allowing it to be sent several times faster than previous
variants (.A - .C).
The worm avoids sending itself to addresses containing at least one of
the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet
|