Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:W32.Netsky.Y@mm, W32/Netsky-Y
Type:Worm 
Size:18,944 bytes 
Origin:unknown 
Date:04-20-2004 
Damage:Sent by email, DoS attacks 
VDF Version:6.25.00.21 
Danger:Low 
Distribution:Medium 

General DescriptionAs its predecessor, the worm sends itself to email addresses found in the system. In addition, it starts DoS attacks on the www.nibis.de, www.medinfo.ufl.edu and
www.educa.ch sites.

SymptomsIncreased email traffic.

DistributionSends itself by email, using its own SMTP engine.

Technical DetailsWorm/Netsky.Y (18,944 bytes) creates the following files:
* %WinDir%\FirewallSvr.exe
* %WinDir%\Fuck_You_Bagle.txt (MIME file)

It makes the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FirewallSvr"="%WinDir%\FirewallSvr.exe"

The worm searches the drives and folders for email addresses to send itself to, using its own SMTP engine:
* .adb
* .asp
* .cgi
* .dbx
* .dhtm
* .doc
* .eml
* .htm
* .html
* .msg
* .oft
* .php
* .pl
* .rtf
* .sht
* .shtm
* .tbb
* .txt
* .uin
* .vbs
* .wab

An email sent by Worm/Netsky.Y can look like this:

Subject:

Delivery failure notice (ID-<random number>)

Body:

--- Mail Part Delivered ---
220 Welcome to
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.<%variable%>
Exim Status OK.
<%variable%> message is available.

Attachment:

www.<%random domain name%>.<%random name%>.session-<%random
numbers%>.com

The worm sends the messages using its engine, to hukanmikloiuo@yahoo.com and to all the addresses found in the system. Between the 28th and 30th of April, Worm/Netsky.Y starts a DoS attack on:
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* %WinDir%\FirewallSvr.exe
* %WinDir%\Fuck_You_Bagle.txt

Start "regedit" after that and delete the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FirewallSvr"="%WinDir%\FirewallSvr.exe"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear.

Delete the following files:

* %WinDir%\FirewallSvr.exe
* %WinDir%\Fuck_You_Bagle.txt

Start "regedit" after that and delete the following registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FirewallSvr"="%WinDir%\FirewallSvr.exe"

Restart your computer.
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .