Another Netsky variant discovered on March 10th 2004. It drops itself as AVprotect.exe to Windows directory.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
If the infection is in a local network, please follow the instructions on this webpage:
This new variant is a stripped down version, just containing a minimum set of features and with no comments on the ongoing virus war.
It will create the following key to point to itself:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HtProtect" = %sysdir%\AVprotect.exe
And create a mutex named "Rabbo" so it's not run more than once.
It will spread using any of the following subjects:
Re: Important Re: Your document Re: Your details Re: Approved
With message bodies from the list:
Your file is attached. Please read the document. Your document is attached. Please read the attached file. Please see the attached file for details.
And with attachment names from:
your_file_%s.pif details_%s.pif document_%s.pif
Where '%s' will be substituted by a text string.
Date Created: -
Date Last Modified: -