New E-Mail Virus Warning - Netsky.C
Posted: 26th Feb, 2004 By: MarkJ
Sadly a further reiteration of the Netsky e-mail virus (worm), known as Netsky.c, now appears to be working its way around the Internet just as fast as Netsky.b did before it:
Virus Warning: Central Command warns all Internet users of a new computer worm Worm/Netsky.C
Central Command, a leading provider of PC anti-virus software and computer security services, announces the discovery of Worm/Netsky.C. This new aggressive Internet worm is spreading globally with heavy concentrations initially in the United States.
"Netsky.C is the latest specimen out of the Netsky family of Internet worms," said Steven Sundermeier, Vice President of Products and Services at Central Command, Inc. "Due to the fast spreading nature of mass mailing worms, Netsky.C will once again plague email users worldwide. Email systems are the core function of communication between Internet enabled businesses and we are seeing a new pattern of extremely proficient virus writing successfully attacking this key component."
Cenrtal Command's Emergency Virus Response Team® (EVRT®) has updated Vexira Antivirus. The initial submissions indicate that Netsky.C has the potential to be another major outbreak. EVRT has already confirmed over 1500 infections of Worm/Netsky.C in fewer than 40 minutes of initial discovery.
Details of the Internet worm:
Worm/Netsky.C is an Internet worm that spreads through e-mail by using addresses it collects from files with certain file extensions. The extension listing is, *.msg *.oft *.sht *.dbx *.tbb *.adb *.doc *.wab *.asp *.uin * .rtf *.vbs *.html *.htm *.pl *.php *.txt *.eml.
Worm arrives through e-mail with one of the following observed subject lines:
Subject (one of the following):
- believe me
- illegal...
- Question
- Fwd: lol
-
- your job? (I found that!)
- Re; hey
- Status
- lol
- something for you
- your name is wrong
- private?
- is that your TAN?
- info
- doc?
- your personal record?
- Re: doing it?
- personal message!
- Report
It will then copy itself in the windows directory under the filename "winlogon.exe". Additionally, the following files are copied into directories with the word 'shar' in their name located on the infected system:
- 1000 Sex and more.rtf.exe
- 3D Studio Max 3dsmax.exe
- ACDSee 9.exe
- Adobe Photoshop 9 full.exe
- Adobe Premiere 9.exe
- Ahead Nero 7.exe
- Best Matrix Screensaver.scr
- Clone DVD 5.exe
- Cracks & Warez Archive.exe
- Dark Angels.pif
- Dictionary English - France.doc.exe
- DivX 7.0 final.exe
- Doom 3 Beta.exe
- E-Book Archive.rtf.exe
- Full album.mp3.pif
- Gimp 1.5 Full with Key.exe
- How to hack.doc.exe
- IE58.1 full setup.exe
- Keygen 4 all appz.exe
- Learn Programming.doc.exe
- Lightwave SE Update.exe
- Magix Video Deluxe 4.exe
- Microsoft Office 2003 Crack.exe
- Microsoft WinXP Crack.exe
- MS Service Pack 5.exe
- Norton Antivirus 2004.exe
- Opera.exe
- Partitionsmagic 9.0.exe
- Porno Screensaver.scr
- RFC Basics Full Edition.doc.exe
- Screensaver.scr
- Serials.txt.exe
- Smashing the stack.rtf.exe
- Star Office 8.exe
- Teen Porn 16.jpg.pif
- The Sims 3 crack.exe
- Ulead Keygen.exe
- Virii Sourcecode.scr
- Visual Studio Net Crack.exe
- Win Longhorn Beta.exe
- WinAmp 12 full.exe
- Windows Sourcecode.doc.exe
- WinXP eBook.doc.exe
- XXX hardcore pic.jpg.exe
So that it gets run each time a user restart their computer the following registry key gets added:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ICQ Net"="C:\\WINNT\\winlogon.exe -stealth"
Latest UK ISP News
Cheap BIG ISPs for 100Mbps+
Cheapest ISPs for 100Mbps+