NETSKY.T
WORM SPREADS IN THE WILD
Virus Name : W32.Netsky.T@mm
Alias : I-Worm.NetSky.t,
W32/Netsky.t@MM , Win32.HLLM.Netsky.based,
W32/Netsky-T, Win32/Netsky.T@mm, WORM_NETSKY.T,
Win32:Netsky-T, I-Worm/Netsky.T,
Worm.SomeFool.Gen-2, W32/Netsky.T.worm,
Win32/Netsky.T, Email-Worm.Win32.NetSky.t
Virus type : Internet
Worm
Threat
level : Medium
Virus
details :
Netsky.T is
a modified variant of Netsky.S worm.This mass
mailing worm spreads using e-mail addresses
collected from .eml, .txt, .php, .asp, .wab,
.doc, .sht, .oft, .msg, .vbs, .rtf, .uin, .shtm,
.cgi, .dhtm, .adb, .tbb, .dbx, .pl, .htm, .html,
.jsp, .wsh, .xml, .cfg, .mbx, .mdx, .mht, .mmf,
.nch, .ods, .stm, .xls, and .ppt files to
distribute infected messages.
Netsky.T worm arrives as
an e-mail attachment. The infected attachment
name, message body and subject is randomly chosen
by the worm.
The
infected mail subject will be one of the
following:
e: Approved
Re: Hello
Re: Hi
Re: Important
Re: My details
Re: Request
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
Request
Thank you!
Your details
Your document
Your information
Approved
Hello
Hi
Important
My details
The
infected mail message body will be one of the
following
Hi!
Hello!
I have spent much time for the <random
word>.
I have sent the <random word>.
I have found the <random word>.
Your file is attached to this mail.
My <random word>.
My <random word> is attached.
I have spent much time for your document.
Your <random word>. ˇYour <random
word> is attached.
The requested <random word> is attached!
The <random word>.
The <random word> is attached.
See the document for details.
Please notice the attached document.
Please notice the attached <random word>.
Please have a look at the attached document.
Please have a look at the <random word>.
Note that I have attached your document.
Here is the document. ˇHere is the <random
word>.
For more information see the attached document.
For more details see the attached document.
Approved, here is the document.
Please, <random word>.
Please see the <random word>.
Please read the attached document.
Please read the <random word>.
Please read quickly.
Yours sincerely
Thanks
Thank you
The
infected mail sample is given below
When the worm file is
executed, it copies itself to Windows folder as
"EasyAV.exe". Netsky.T modifies
registry run section to load automatically on the
next startup. The registry modification is given
below.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"EasyAV"= %WINDOWS%\EasyAV.exe
[
By default, %WINDOWS% will be C:\Windows in case
of Windows 95/98/ME/XP, C:\Winnt in case of
Windows NT/2000 ]
Netsky.T worm uses its
own SMTP engine to send infected messages. The
worm also removes registry entries created by
Mydoom.A and Mydoom.B worm. It opens port 6789 to
allow access to the infected system.
This Worm is also known
as I-Worm.NetSky.t, W32/Netsky.t@MM,
Win32.HLLM.Netsky.based, W32/Netsky-T,
Win32/Netsky.T@mm, WORM_NETSKY.T, Win32:Netsky-T,
I-Worm/Netsky.T, Worm.SomeFool.Gen-2,
W32/Netsky.T.worm, Win32/Netsky.T and
Email-Worm.Win32.NetSky.t.
How can I protect my
system?
Solo has incorporated
W32.Netsky.T@mm in its signature file to protect
users from this worm attack. Solo antivirus
registered users are already protected from this
Worm. Make sure that you have installed
registered version of Solo Antivirus to protect
your system from all virus threats.
How
to remove this Worm?
If
you are already infected with this Worm, you can
remove it from your computer using Solo Antivirus
software. Use the following link
to Download 30 day trial version of
Solo antivirus to remove viruses from your
computer.
Solo anti-virus not only
scans for all viruses, it contains a unique System
Integrity Checker to protect you from
New Internet Worms, Backdoors and
malicious VB, Java Scripts. It also
effectively removes all existing Internet Worms,
File viruses, malicious VB, Java scripts,
Trojans, Backdoors, boot sector, partition table
and macro viruses.
You can
purchase Solo antivirus using the link 
|
|
