Ha bisogno di assistenza? Chieda alla community oppure consulti un esperto.
Vai ad Avira Answers
Alias:W32.Netsky.O@mm, W32/Netsky-O,
Type:Worm 
Size:16.384 Bytes 
Origin: 
Date:03-18-2004 
Damage:Sent by email. 
VDF Version:6.24.00.60 
Danger:Low 
Distribution:Medium 

DistributionThe email sent by the worm can look differently. It uses a list for Subject, Body and Attachment:

Subject:
Re: Mail Authentification
Re: Delivery Protection
Re: Secure delivery
Re: Protected Mail Delivery
Re: Protected Mail System
Re: Protected Mail Request
Re: Secure SMTP Message
Re: Extended Mail System
Re: Error
Re: Message Error
Re: Administration
Re: Test
Re: Thank you for delivery
Re: Failure
Re: Bad Request
Re: Delivery Server
Re: Mail Server
Re: SMTP Server
Re: Notify
Re: Status
Re: Extended Mail
Re: Encrypted Mail

Body:
You have received an extended message. Please read the instructions.
New message is available.
Now a new message is available.
You got a new message.
SMTP: Please confirm the attached message.
Bad Gateway: The message has been attached.
Protected message is available.
Waiting for authentification.
Protected message is attached.
Please authenticate the secure message.
Follow the instructions to read the message.
Please read the attachment to get the message.
Encrypted message is available.
Delivered message is attached.
Forwarded message is available.
Secure Mail System Beta Test.
Protected Mail System Test.
Your requested mail has been attached.
For further details see the attachment.
For more details see the attachment.
First part of the secure mail is available.
Waiting for a Response. Please read the attachment.
Partial message is available.
ESMTP [Secure Mail System #334]: Secure message is attached.
Please confirm my request.

All email Bodies end with one of the following messages, to give the user the impression of a vrus-free email:

+++ Attachment: No Virus found
+++ Panda AntiVirus - You are protected
+++ www.pandasoftware.com
+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com
+++ Attachment: No Virus found
+++ Norman AntiVirus - You are protected
+++ www.norman.com
+++ Attachment: No Virus found
+++ Norton AntiVirus - You are protected
+++ www.symantec.de

Attachment:
message.pif
msg.pif
details.pif
data.pif
document.pif
readme.pif

Technical DetailsWorm/Netsky.O (16.384 Bytes) is packed with the newest version of UPX. When activated, it is copied as:
C:\%WinDir%\AVBgle.exe
C:\%WinDir%\base64.tmp (22.456 bytes / Base64 archive)

It makes the registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run]
"MSInfo"="C:\\WINDOWS\\AVBgle.exe"

and deletes the following entries, if present:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Explorer"=
"system."=
"msgsvr32"=
"service"=
"DELETE ME"=
"Sentry"=
"Taskmon"=
"Windows Services Host"=

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"Explorer"=
"d3dupdate.exe"=
"au.exe"=
"OLE"=
"gouday.exe"=
"rate.exe"=
"Taskmon"=
"Windows Services Host"=

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED }\
"InProcServer32"=

The worm searches for email addresses on drives C: to Z:, in files of type:
.adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab

The emails are not sent to email addresses containing:
abuse
antivi
aspersky
avp
cafee
fbi
f-pro
f-secur
icrosoft
itdefender
messagelabs
orman
orton
skynet
spam
ymantec
Descrizione inserita da Crony Walker su martedì 15 giugno 2004

Indietro . . . .
https:// Questa finestra è criptata per tua sicurezza.