Tools
NetSky.M
| ALIAS: | W32/Netsky.M, I-Worm.Netsky.m |
| SIZE: | 16896 |
Summary
Disinfection
Automatic Disinfection
Allow F-Secure Anti-Virus to disinfect the relevant files.
For more general information on disinfection, please see Removal Instructions.
Eliminating a Local Network Outbreak
If the infection is in a local network, please follow the instructions on this webpage:
Additional Details
This new variant is almost identical to Netsky.L, with some minor changes in the appearance of the emails in which it spreads.
It will create the following key to point to itself:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "9xHtProtect" = %sysdir%\AVprotect9x.exe
And create a mutex named "Rabbo_Mutex" so it's not run more than once.
Email Spreading
It will spread using any of the following subjects:
Re: <%s> Requested file Re: <%s> My file Re: <%s> My document Re: <%s> My information Re: <%s> My details Re: <%s> Information Re: <%s> Improved Re: <%s> Requested document Re: <%s> Document Re: <%s> Details Re: <%s> Your document Re: <%s> Your details Re: <%s> Approved
With message bodies from the list:
Details for %s. Document %s. I have received your document. The improved document %s is attached. I have attached your document %s. Your document %s is attached to this mail. Authentification for %s required. Requested file %s. See the file %s. Please read the important message msg_%s. Please confirm the document %s. %s is attached. Your file %s is attached. Please read the document %s. Your document %s is attached. Please read the attached file %s. Please see the attached file %s for details.
Where '%s' will be substituted by a text string.
And with attachment names from:
improved_%s message_%s detailed_%s your_document_%s word_doc_%s doc_%s articel_%s picture_%s file_%s your_file_%s details_%s document_%s
Where '%s' will be substituted by a text string.