Latest Virus - W32/Netsky.d@mm I have received several instances of this new virus. Here's some info from www.symantec.com about it. W32.Netsky.D@mm Discovered on: March 01, 2004 Last Updated on: March 02, 2004 04:41:18 PM Due to an increased rate of submissions, Symantec Security Response has upgraded W32.Netsky.D@mm from a Category 3 to a Category 4 as of March 1, 2004. W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found. The Subject, Body, and Attachment names vary. The attachment will have a .pif file extension. Also Known As: WORM_NETSKY.D [Trend], W32/Netsky.d@MM [McAfee], W32/Netsky.D.worm [Panda], W32/Netsky-D [Sophos], Win32.Netsky.D [Computer Associates], I-Worm.Netsky.d [Kaspersky] Variants: W32.Netsky.C@mm, W32.Netsky.gen@mm Type: Worm Infection Length: 17,424 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows XP Systems Not Affected: Linux, Macintosh, UNIX, Windows 3.x Number of infections: More than 1000 Number of sites: More than 10 Geographical distribution: Low Threat containment: Easy Removal: Moderate Damage Payload Trigger: n/a Payload: n/a Large scale e-mailing: Sends itself to email addresses retrieved from file system. Deletes files: n/a Modifies files: n/a Degrades performance: n/a Causes system instability: n/a Releases confidential info: n/a Compromises security settings: n/a Distribution Subject of email: Varies Name of attachment: Varies with .pif file extension. Size of attachment: 17,424 bytes Time stamp of attachment: n/a Ports: n/a Shared drives: n/a Target of infection: n/a When W32.Netsky.D@mm is executed, it performs the following actions: Creates a mutex named "[SkyNet.cz]SystemsMutex." This mutex allows only one instance of the worm to execute. Copies itself as %Windir%\winlogon.exe. Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location. Adds the value: "ICQ Net" = "%Windir%\winlogon.exe -stealth" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run so that the worm runs when you start Windows. Deletes the values: Taskmon Explorer Windows Services Host KasperskyAV from the registry keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run Notes: Some of these registry key values are typically associated with the worms W32.Mydoom.A@mm and W32.Mydoom.B@mm. The W32.Mimail.T@mm worm may add the registry key value "KasperskyAV." Deletes the values: System. msgsvr32 DELETE ME service Sentry from the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run Deletes the values: d3dupdate.exe au.exe OLE from the registry key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run Deletes the value: System. from the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\ RunServices Deletes the registry keys: HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87- 00AA005127ED}\ InProcServer32 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentV ersion\ Explorer\PINF HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W ksPatch Note: The worms W32.Mydoom.A@mm and W32.Mydoom.B@mm add a value to the first key, so that explorer.exe loads their backdoor components. If it is between 6:00am and 9:00am on a Tuesday, March 2, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency. Scans the following file types on drives C through Z for email addresses: .dhtm .cgi .shtm .msg .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .pl .php .txt .eml Uses its own SMTP engine to send itself to the email addresses it found above, sending to each address once. The worm uses the local DNS server (retrieved via an API), if available, to perform an MX lookup for the recipient address. If the local DNS fails, it will perform the lookup from the following list of hard-coded servers: 145.253.2.171 151.189.13.35 193.141.40.42 193.189.244.205 193.193.144.12 193.193.158.10 194.25.2.129 194.25.2.129 194.25.2.130 194.25.2.131 194.25.2.132 194.25.2.133 194.25.2.134 195.185.185.195 195.20.224.234 212.185.252.136 212.185.252.73 212.185.253.70 212.44.160.8 212.7.128.162 212.7.128.165 213.191.74.19 217.5.97.137 62.155.255.16 The email has the following characteristics: From: Subject: (One of the following) Re: Your website Re: Your product Re: Your letter Re: Your archive Re: Your text Re: Your bill Re: Your details Re: My details Re: Word file Re: Excel file Re: Details Re: Approved Re: Your software Re: Your music Re: Here Re: Re: Re: Your document Re: Hello Re: Hi Re: Re: Message Re: Your picture Re: Here is the document Re: Your document Re: Thanks! Re: Re: Thanks! Re: Re: Document Re: Document Body: (One of the following) Your file is attached. Please read the attached file. Please have a look at the attached file. See the attached file for details. Here is the file. Your document is attached. Attachment: (One of the following) your_website.pif your_product.pif your_letter.pif your_archive.pif your_text.pif your_bill.pif your_details.pif document_word.pif document_excel.pif my_details.pif all_document.pif application.pif mp3music.pif yours.pif document_4351.pif your_file.pif message_details.pif your_picture.pif document_full.pif message_part2.pif document.pif your_document.pif The worm avoids sending email to addresses containing the following strings: skynet messagelabs abuse fbi orton f-pro aspersky cafee orman itdefender f-secur avp spam ymantec antivi icrosoft - o -