Alias:W32/Netsky.D@MM, i-Worm.Moodown.d
Type:Worm 
Size:17,424 bytes 
Origin:unknown 
Date:03-01-2004 
Damage:Sends itself by email 
VDF Version:6.24.00.29 
Danger:Low 
Distribution:High 

General DescriptionWorm/NetSky.D is a mass-mailer, with a size of 17.424 bytes. It uses its own smtp engine to send the emails. Thus the worm is not dependent on the email client. It scans files on all local drives for email addresses, to which it will send itself after that.

The emails generated by Worm/NetSky.E can have different looks, because it's using a predefined list with words and sentences.

The worm copies itself into the Windows folder as WINLOGON.EXE and modifies Windows Registry accordingly.

Symptoms* Increased email traffic

Distribution* Sends itself via email using its own smtp engine

Technical DetailsWorm/NetSky.D is a mass-mailer, with a size of 17.424 bytes.It uses its own smtp engine to send the emails. Thus the worm is not dependent on the email client. It scans files with the following file extensions on all local drives for email addresses, to which it will send itself after that:

adb, asp, cgi, dbx, dhtm, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, shtm, tbb, txt, uin, vbs, and wab

It copies itself into the Windows folder as WINLOGON.EXE and adds the following entry in the Windows Registry:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe stealth"

Note: The file WINLOGON.EXE is different from the original file in the SYSTEM32 folder of Windows.

The emails generated by Worm/NetSky.E can have different looks, because it's using a predefined list with words and sentences. Thus the subject, the email body and the name of the attachment are different for each email sent.

The subject email can consist of one of the following strings:

* Re: Approved
* Re: Details
* Re: Document
* Re: Excel file
* Re: Hello
* Re: Here
* Re: Here is the document
* Re: Hi
* Re: My details
* Re: Re: Document
* Re: Re: Message
* Re: Re: Re: Your document
* Re: Re: Thanks!
* Re: Thanks!
* Re: Word file
* Re: Your archive
* Re: Your bill
* Re: Your details
* Re: Your document
* Re: Your letter
* Re: Your music
* Re: Your picture
* Re: Your product
* Re: Your software
* Re: Your text
* Re: Your websiteDer

The file name is selected from the following list:

* all_document
* application
* document
* document_4351
* document_excel
* document_full
* document_word
* message_details
* message_part2
* mp3music
* my_details
* your_archive
* your_bill
* your_details
* your_document
* your_file
* more your_letter
* your_picture
* your_product
* your_text
* your_website
* yours

The file extension of the attachment can be one of the following:

* txt
* rtf
* doc
* htm

The second file extension can be:

* exe
* scr
* com
* pif

Manual Remove Instructions- for Windows 2000/XP:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%Windir%\Winlogon.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe stealth"

Restart your computer.

- for Windows 9x/Me:
In order to remove the virus by hand, you should be in Safe Mode first. Press the F8 key when you start your computer, and select the 'safe mode' option that will appear. Delete the following files:

* \%Windir%\Winlogon.exe

Start "regedit" after that and delete the following registry entries:

* [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run]
"ICQ Net" = "%Windir%\winlogon.exe stealth"

Restart your computer.
Descrição enviada por Crony Walker em terça-feira, 15 de junho de 2004

Voltar . . . .