ATENTIE !!! Win32.Netsky.B@mm

Name: Win32.Netsky.B@mm
Aliases: W32/Netsky-B
Type: Executable Mass Mailer  
Size: 22,016 bytes (packed)
Discovered: 18.02.2004
Detected: 18.02.2004
Spreading: Low
Damage: Low
In The Wild: Yes

Symptoms:
- Presence of the following file in Windows directory (%WINDIR%):
services.exe

- Presence of the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunservice = %WINDIR%services.exe



Technical description:
This mass mailer comes in the following e-mail format:

Subject - randomly chosen from the following strings:
"hello"
"read it immediately"
"something for you"
"warning"
"information"
"stolen"
"fake"
"unknown"

Message body - randomly chosen from the following strings:
"anything ok?"
"what does it mean?"
"ok"
"i'm waiting"
"read the details."
"here is the document."
"read it immediately!"
"my hero"
"here"
"is that true?"
"is that your name?"
"is that your account?"
"i wait for a reply!"
"is that from you?"
"you are a bad writer"
"I have your password!"
"something about you!"
"kill the writer of this document!"
"i hope it is not true!"
"your name is wrong"
"i found this document about you"
"yes, really?"
"that is bad"
"here it is"
"see you"
"greetings"
"stuff about you?"
"something is going wrong!"
"information about you"
"about me"
"from the chatter"
"here, the serials"
"here, the introduction"
"here, the cheats"
"that's funny"
"do you?"
"reply"
"take it easy"
"why?"
"thats wrong"
"misc"
"you earn money"
"you feel the same"
"you try to steal"
"you are bad"
"something is going wrong"
"something is fool"

Attached file name - randomly chosen from the following strings:
"document"
"msg"
"doc"
"talk"
"message"
"creditcard"
"details"
"attachment"
"me"
"stuff"
"posting"
"textfile"
"concert"
"information"
"note"
"bill"
"swimmingpool"
"product"
"topseller"
"ps"
"shower"
"aboutyou"
"nomoney"
"found"
"story"
"mails"
"website"
"friend"
"jokes"
"location"
"final"
"release"
"dinner"
"ranking"
"object"
"mail2"
"part2"
"disco"
"party"
"misc"
"#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!"

Attached file extensions - randomly chosen from the following strings:
".exe"
".scr"
".com"
".pif"
".txt"
".rtf"
".doc"
".htm"

When the user double-clicks the attachement, the worm copies itself as
%WINDIR%services.exe
and adds the following registry key:
HKLMSoftwareMicrosoftWindowsCurrentVersionRunservice = %WINDIR%services.exe,
so it will be automatically executed each time windows starts up.

It then searches the files in the infected computer for e-mail addresses and sends itself to that addresses.
While searching, it tries to copy itself in each directory whose name contains the strings
Share or Sharing, with one of the following names:
'doom2.doc.pif'
'sex sex sex sex.doc.exe'
'rfc compilation.doc.exe'
'dictionary.doc.exe'
'win longhorn.doc.exe'
'e.book.doc.exe'
'programming basics.doc.exe'
'how to hack.doc.exe'
'max payne 2.crack.exe'
'e-book.archive.doc.exe'
'virii.scr'
'nero.7.exe'
'cool screensaver.scr'
'serial.txt.exe'
'office_crack.exe'
'hardcore porn.jpg.exe'
'angels.pif'
'porno.scr'
'matrix.scr'
'photoshop 9 crack.exe'
'strippoker.exe'
'dolly_buster.jpg.pif'
'winxp_crack.exe'



Removal instructions:
Let BitDefender delete all the infected files.



Removal tool:

"http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=194#"

Virus analyzed by:
Adrian Gostin
BitDefender Virus Researcher

Nu v-as fi stresat daca nu imi dadea gres NAV -ul in ceea ce priveste detectarea acestuia.
Asa ca am luat un tool de la Bitdefender si l-am scos
E foarte periculos.


PS:Nu fac reclama la BitDefender. Pe ansamblu am o parere foarte proasta despre el - genereaza 1 milion de incompatibilitati, etc,. Eu sunt fan Norton Antivirus, dar de data asta se pare ca Symantec s-a miscat mai greu. Daca va continua asa voi renunta la el.

Autoupdate si s-a rezolvat cu Norton Antivirus!
Virusul a aparut pe 18 februarie si de atunci am tot primit update-uri la fiecare 24 de ore. De obicei, Norton Antivirus se actualizeaza in medie o data pe saptamina. Eu sint multumit de NAV.

Mie mi-au sosit azi doua mail-uri infectate cu acest virus - de la @expotek.ro si @romatsa.ro. NAV le-a detectat imediat si le-a sters. Din pacate, se pare ca multe calculatoare din Romania au fost deja infectate.

Asa e acum. Faza este ca virusul a inceput sa se raspandeasca pe la prinz si Symantecul abia pe la ora 21:30 a reusit sa puna la punct antidotul. In schimb cei de la Bitdefender au scos un tool in cateva ore.
Ei, inchipuieti cum m-am simtit eu dupa ce am luptat cu conducerea sa investeasca cateva mii de dolari intr-un antivirus produs de o firma (Symantec) care n-a reusit sa puna la punct un tool aproape o jumatate de zi, in timp ce concurenta  - Bitdefender , pe care eu am desfiintat-o in toate rapoartele facute catre superiori (si al carei cost de licenta pe bucata era la jumatate) a reusit sa faca ce trebuia sa faca Symantec.
Si eu sunt fan NAV, dovada ca imediat ce a trecut faza asta am dezinstalat Bitdefender-ul pentru abia imi mai caraia laptop-ul si asteptam 10 minute sa se incarce outlook-ul.
Ar trebui sa fie si ei mai operativi (Symantec) ca d-aia costa o licenta aproape cat un microprocesor   :cool:    

am primit la lucru vreo 5 mesaje infectate cu netsky... NAV le-a sters  pe toate

iata aici si aici confirmarea ca BD-ul are cea mai rapida viteza de reactie...