Alias:W32.Netsky.K@mm, W32/Netsky-J, Win32.Netsky.J, W32/Netsky.j
Type:Worm 
Size:22,016 bytes 
Origin:unknown 
Date:03-08-2004 
Damage:Sends itself by email 
VDF Version:6.24.00.44 
Danger:Low 
Distribution:Medium 

General DescriptionThis worm sends itself, like its predecessors, to email addresses found on the infected system.

Symptoms* Increased email traffic

Distribution* Send itself via email using its own smtp engine

Technical DetailsWorm/Netsky.K has a file size of 22.016 bytes. It copies itself as:

* %windir%\winlogon.exe

It will add the following registry entry:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net"="C:\\WINNT\\winlogon.exe stealth"

and it will delete the following registry entries, if they are present:

* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system.
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows services host
* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows services host
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Windows services host
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Ole
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\au.exe
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\d3dupdate.exe
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\KasperskyAv
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Explorer
* HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Taskmon
* HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\PINF
* HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WksPatch



The worm sends itself to email addresses found in files having the following extensions:

* adb
* asp
* cgi
* dbx
* dhtm
* doc
* eml
* htm
* html
* msg
* oft
* php
* pl
* rtf
* sht
* shtm
* tbb
* txt
* uin
* vbs
* wab


and it will not send itself to email addresses containing the following strings:

* abuse
* antivi
* aspersky
* avp
* cafee
* FBI
* f-per
* f-secur
* icrosoft
* itdefender
* messagelabs
* orman
* orton
* skynet
* Spam
* ymantec



Emails from Worm/Netsky.K can have the following appearance:

Subject:

* RE: Approved
* RE: Detail
* RE: Document
* RE: Excel file
* RE: Hello
* RE: Here
* RE: Here is the document
* RE: Rear one
* RE: My detail
* RE: RE: Document
* RE: RE: Message
* RE: RE: RE: Your document
* RE: RE: Thanks!
* RE: Thanks!
* RE: Word file
* RE: Your of archives
* RE: Your bill
* RE: Your detail
* RE: Your document
* RE: Your type character
* RE: Your music
* RE: Your picture
* RE: Your product
* RE: Your software
* RE: Your text
* RE: Your website


Body:

* Your document is attached.
* Please have a look at the attached file.
* Please read the attached file.
* Lake the attached file for details.
* Your file is attached.
* Here is the file.

Attachment:

* all_document.pif
* application.pif
* document.pif
* document_4351.pif
* document_excel.pif
* document_full.pif
* document_word.pif
* message_details.pif
* message_part2.pif
* mp3music.pif
* my_details.pif
* your_archive.pif
* your_bill.pif
* your_details.pif
* your_document.pif
* your_file.pif
* your_letter.pif
* your_picture.pif
* your_product.pif
* your_text.pif
* your_website.pif
* yours.pif

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* %windir%\winlogon.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net"="C:\\WINNT\\winlogon.exe stealth"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* %windir%\winlogon.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net"="C:\\WINNT\\winlogon.exe stealth"

Restart your computer.
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .
 
 
 
 

© 2013 Avira Operations GmbH & Co. KG. Todos os direitos reservados.

Minha Conta

https:// Esta janela é criptografada para sua segurança.