Another Netsky variant discovered on March 10th 2004. It drops itself as AVprotect.exe to Windows directory.
If the infection is in a local network, please follow the instructions on this webpage:
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
This new variant is a stripped down version, just containing a minimum set of features and with no comments on the ongoing virus war.
It will create the following key to point to itself:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HtProtect" = %sysdir%\AVprotect.exe
And create a mutex named "Rabbo" so it's not run more than once.
It will spread using any of the following subjects:
Re: Important Re: Your document Re: Your details Re: Approved
With message bodies from the list:
Your file is attached. Please read the document. Your document is attached. Please read the attached file. Please see the attached file for details.
And with attachment names from:
your_file_%s.pif details_%s.pif document_%s.pif
Where '%s' will be substituted by a text string.