Yenra : Anti Virus : Netsky C Worm : New aggressive Internet worm attacking email users

Netsky C Worm

Every time we turn around, we hear about another variant of the My Doom Virus. Central Command today announced the discovery of Worm/Netsky.C. This new aggressive Internet worm is spreading globally with heavy concentrations initially in the United States.

"Netsky.C is the latest specimen out of the Netsky family of Internet worms," said Steven Sundermeier, Vice President of Products and Services at Central Command, Inc. "Due to the fast spreading nature of mass mailing worms, Netsky.C will once again plague email users worldwide. Email systems are the core function of communication between Internet enabled businesses and we are seeing a new pattern of extremely proficient virus writing successfully attacking this key component."

Central Command's Emergency Virus Response Team (EVRT) has updated Vexira Antivirus. The initial submissions indicate that Netsky.C has the potential to be another major outbreak. EVRT has already confirmed over 1500 infections of Worm/Netsky.C in fewer than 40 minutes of initial discovery.

Details of the Internet worm:

Worm/Netsky.C is an Internet worm that spreads through e-mail by using addresses it collects from files with certain file extensions. The extension listing is, *.msg *.oft *.sht *.dbx *.tbb *.adb *.doc *.wab *.asp *.uin * .rtf *.vbs *.html *.htm *.pl *.php *.txt *.eml.

Worm arrives through e-mail with one of the following observed subject lines:

Subject (one of the following):

   - believe me
   - i**egal...
   - Question
   - Fwd: lol
   - your job? (I found that!)
   - Re; hey
   - Status
   - lol
   - something for you
   - your name is wrong
   - private?
   - is that your TAN?
   - info
   - doc?
   - your personal record?
   - Re: doing it?
   - personal message!
   - Report

It will then copy itself in the \%windows%\ directory under the filename "winlogon.exe". Additionally, the following files are copied into directories with the word 'shar' in their name located on the infected system:

   - 1000 S*x and more.rtf.exe
   - 3D Studio Max 3dsmax.exe
   - ACDSee 9.exe
   - Adobe Photoshop 9 full.exe
   - Adobe Premiere 9.exe
   - Ahead Nero 7.exe
   - Best Matrix Screensaver.scr
   - Clone DVD 5.exe
   - Cracks & Warez Archive.exe
   - Dark Angels.pif
   - Dictionary English - France.doc.exe
   - DivX 7.0 final.exe
   - Doom 3 Beta.exe
   - E-Book Archive.rtf.exe
   - Full album.mp3.pif
   - Gimp 1.5 Full with Key.exe
   - How to hack.doc.exe
   - IE58.1 full setup.exe
   - Keygen 4 all appz.exe
   - Learn Programming.doc.exe
   - Lightwave SE Update.exe
   - Magix Video Deluxe 4.exe
   - Microsoft Office 2003 Crack.exe
   - Microsoft WinXP Crack.exe
   - MS Service Pack 5.exe
   - Norton Antivirus 2004.exe
   - Opera.exe
   - Partitionsmagic 9.0.exe
   - P**no Screensaver.scr
   - RFC Basics Full Edition.doc.exe
   - Screensaver.scr
   - Serials.txt.exe
   - Smashing the stack.rtf.exe
   - Star Office 8.exe
   - T**n P**n 16.jpg.pif
   - The Sims 3 crack.exe
   - Ulead Keygen.exe
   - Virii Sourcecode.scr
   - Visual Studio Net Crack.exe
   - Win Longhorn Beta.exe
   - WinAmp 12 full.exe
   - Windows Sourcecode.doc.exe
   - WinXP eBook.doc.exe
   - *** h**dc**e pic.jpg.exe

So that it gets run each time a user restart their computer the following registry key gets added:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ICQ Net"="C:\\WINNT\\winlogon.exe -stealth"