high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | April 2004 (3.80) |
| Protection available since | 1 March 2004 11:41:57 (GMT) |
| Last updated | 10 March 2004 23:25:41 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
If you are running Sophos Anti-Virus for Windows, version 6.0, you should follow our instructions for removing worms.
If you use any of our other products, please follow the instructions for removing W32/Netsky-D.
More Information
W32/Netsky-D is a worm that spreads via email. When emailing itself the worm can spoof the sender's email address.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject lines:
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached file:
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
W32/Netsky-D searches all mapped drives for files with the following extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML
W32/Netsky-D is programmed to not forward itself via email if the recipient email address contains the following strings:
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
When the worm is run on 2 March 2004 between 06:00 and 08:59 it may cause the computer to beep sporadically. W32/Netsky-D is a worm that spreads via email. When emailing itself the worm can spoof the sender's email address.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject lines:
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message texts:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attached file:
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
When first run W32/Netsky-D copies itself to the Windows folder as winlogon.exe and creates the following registry entry so that winlogon.exe is run automatically each time the user logs on to the computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQ Net
= <WINDOWS>\winlogon.exe -stealth
W32/Netsky-D searches all mapped drives for files with the following extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML
W32/Netsky-D attempts to delete the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sentry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system
HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
W32/Netsky-D queries for the following IP addresses:
62.155.255.16
145.253.2.171
151.189.13.35
193.193.158.10
193.193.144.12
193.189.244.205
193.141.40.42
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.7.128.162
212.7.128.165
212.185.253.70
212.185.252.73
212.44.160.8
213.191.74.19
217.5.97.137
W32/Netsky-D is programmed to not forward itself via email if the recipient email address contains the following strings:
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
W32/Netsky-D attempts to delete some registry entries including ones related to the W32/MyDoom-A and W32/MyDoom-B worms in a similar way to previous variants.
When the worm is run on 2 March 2004 between 06:00 and 08:59 it may cause the computer to beep sporadically.
|
