Disinfection instructions can be found here:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
System administrators who are using F-Secure Policy Manager,
can distribute the tool as a JAR package automatically to all
workstations.
System administrators can download the JAR version from:
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
This new variant is a stripped down version, just containing a minimum set of
features and with no comments on the ongoing virus war.
It will create the following key to point to itself:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HtProtect" = %sysdir%\AVprotect.exe
And create a mutex named "Rabbo" so it's not run more than once.
Email Spreading
It will spread using any of the following subjects:
Re: Important
Re: Your document
Re: Your details
Re: Approved
With message bodies from the list:
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
And with attachment names from:
your_file_%s.pif
details_%s.pif
document_%s.pif
Where '%s' will be substituted by a text string.
Detection for this malware was published on March 10th, 2004
in the following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-03-10_03
Technical Details:
Ero Carrera, March 10th, 2004;
Description Updated:
Alexey Podrezov, March 18th, 2004;
F-Secure Corporation
