F-Secure Virus Descriptions : Netav
NetAV is the worm that spreads in e-mail messages. E-mail
addresses are collected from the users' Address Book and HTML
files located in the 'Temporary Internet Files' folder. Every
Tuesday the worm searches for *.DOC files in the 'My Documents'
folder and, if there are several files there, picks one randomly
and sends it out. The worm does not spread on Tuesday, it only
sends *.DOC files out.
Every Thursday the worm regenerates the new address list that
stores in the ICMAIL.DLL file in the Windows System directory.
This worm sends itself with the following subject lines:
Hello
For you
Try it
Re:
and the following bodies:
Hi
Here is what you asked, bye.
Hello
Maybe you could help me with this, bye.
Hello
Now you can try it, bye.
The following names are given to the worm's attachment:
HGAME.EXE
MININET.EXE
NETAV.EXE
Subject, body and attachment name are selected randomly from the
above given list.
When the worm is first started it shows a fake error message:
"This file does not work on this system"
And then it installs itself to system. It copies itself to
Windows System Directory as 'NETAV.EXE' file. Then it adds the
path of that file to the System Registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\NETAV Agent]
This way the worm starts during all Windows sessions. To
disinfect the worm it's enough to delete its file from Windows
System folder.
Detection in F-Secure Anti-Virus was published on June 21st, 2002:
[FSAV_Database_Version]
Version=2002-06-21_02
[Analysis: Ero Carrera ; F-Secure Corp.; July 11th, 2002]
|
