Another Netsky variant discovered on March 10th 2004. It drops itself as AVprotect.exe to Windows directory.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
This new variant is a stripped down version, just containing a minimum set of features and with no comments on the ongoing virus war.
It will create the following key to point to itself:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HtProtect" = %sysdir%\AVprotect.exe
And create a mutex named "Rabbo" so it's not run more than once.
It will spread using any of the following subjects:
Re: Important Re: Your document Re: Your details Re: Approved
With message bodies from the list:
Your file is attached. Please read the document. Your document is attached. Please read the attached file. Please see the attached file for details.
And with attachment names from:
your_file_%s.pif details_%s.pif document_%s.pif
Where '%s' will be substituted by a text string.