Netsky Computer Virus
The twenty-seventh variation of the Netsky worm is loose. Netsky.ab is a mass-mailing worm that is 17,920 bytes in length. The worm harvests e-mail addresses from infected computers, then tries to send that information to connect to several domain addresses.
Interestingly, it also attempts to delete previous Bagle worm infections. Netsky does not affect Linux, Unix, or Mac OS users. Because this worm spreads via e-mail and attempts to delete information on infected computers.
How Netsky works
Netsky arrives as e-mail with a spoofed return address, a blank subject line, and blank body text. The attached file has a .pif extension and uses variable names. If executed, Netsky.ab will add the following file to the Windows System folder: csrss.exe. It also will also add the Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\ CurrentVersion\Run BagleAV = %Windows%\CSRSS.EXE
Netsky.ab will delete the following Registry items if the computer was previously infected with Bagle.z or Bagle.ab:
HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run SSGRATE.EXE
HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run DRVSYS.EXE
Netsky.ab contains the following message within its code: Hey Bagle, feel our revenge!
Netsky Prevention
This variation of Netsky does not rely upon a specific Microsoft vulnerability but on simple social engineering. Remember to never open attached e-mail files without first saving them to the hard drive and scanning for known viruses. The latest signature file from your antivirus vendor should protect you against this Netsky variation.
Netsky Removal
Download the remover vcleaner.exe from AGV.
http://files.grisoft.cz/softw/70/filedir/util/avg_rem_sup.dir/
Restart your computer in Safe mode and run the remover on the infected computer.
Note: Some viruses can stop the action during the removing process. In this case rename the vcleaner.exe to some different exe file (e.g. something.exe). Restart your computer in Safe mode (recommended) and run the remover on the infected computer.
Netsky in the News:
German authorities charged 18-year-old Jaschan with sabotage for allegedly creating the destructive "Sasser" computer worm and "Netsky" computer viruses, some of the most potent digital outbreaks to ever hit the Internet. Following his arrest in May, the teenage computer wizard admitted to police he wrote the code for Sasser and more than two dozen Netsky viruses that wreaked havoc across the Internet during the first few months of 2004. September 2004.
POTTER mania is sweeping the world, and in tandem with it a virus purporting to offer Harry Potter games and goodies has been making its presence felt. Called Netsky.P, it is a variant of the Netsky worm, the virus that was discovered in March. It has been so aggressive that 14 per cent of all virus reports around the world in the last seven days have been attributed to it. June 2004, Singapore.
Three arrests were made in Germany in connection with the Sasser and Phatbot/Gaobot worms, following information passed on to the police by community members. One of those arrested, a computer science student who turned 18 last month, has confessed to authoring the Sasser and Netsky-AC malicious code - May 2004, Berlin, Germany.
|
Post your comment