Net Sky Worm Virus - Yenra

W32/Netsky.b@MM Worm

Net Sky Worm Virus

Don't trust anyone. This virus is couched in phrases that are designed to trick you. Network Associates today announced that McAfee AVERT (Anti-Virus Emergency Response Team), the world-class anti-virus research division of Network Associates, assigned a Medium risk assessment to the recently discovered W32/Netsky.b@MM, also known as Netsky.b. Netsky.b is a destructive worm that spreads via email, sending itself to addresses found on the victim's machine. The worm was first seen by McAfee AVERT researchers earlier today. To date, McAfee AVERT is receiving 40-50 samples an hour from both real customer submissions and virus-generated mail. In total, McAfee AVERT has seen close to 200 samples from customers around the world, with a large proportion of them coming from the Netherlands.

Net Sky Virus Symptoms

Netsky.b is an Internet worm that once activated, emails itself to addresses found on the victim's machine. The worm copies itself to folders on drives 'C:-Z:' including the words 'shared' or 'sharing,' presumably to achieve P2P propagation. The attachment may have a double-extension such as .rtf.pif and may be contained in a .ZIP file. Users should immediately delete any email with the following:

Message body (composed from the following strings):

  -- I have your password!
  -- about me
  -- anything ok?
  -- do you?
  -- from the chatter
  -- greetings
  -- hello
  -- here
  -- here is the document.
  -- here it is
  -- here, the cheats
  -- here, the introduction
  -- here, the serials
  -- hi
  -- i found this document about you
  -- i hope it is not true!
  -- i wait for a reply!
  -- i'm waiting
  -- information about you
  -- is that from you?
  -- is that true?
  -- is that your account?
  -- is that your name?
  -- kill the writer of this document!
  -- my hero
  -- ok
  -- read it immediately!
  -- read the details.
  -- reply
  -- see you
  -- something about you!
  -- something is fool
  -- something is going wrong
  -- something is going wrong!
  -- stuff about you?
  -- take it easy
  -- that is bad
  -- that's funny
  -- thats wrong why?
  -- what does it mean?
  -- yes, really?
  -- you are a bad writer
  -- you are bad
  -- you earn money
  -- you feel the same
  -- you try to steal
  -- your name is wrong

What it Does

After being executed, the Net Sky Worm Virus emails itself out as an attachment with a randomly chosen filename. The worm then copies itself into %windir% with the filename SERVICES.EXE. The worm adds the key, 'HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" =C:\WINNT\services.exe -serv', to the registry, which helps it activate at the system start-up. McAfee AVERT researchers believe the worm may attempt to clean up the MyDoom backdoor by deleting the registry keys that load it at the system start-up.

How to Cure It

Immediate information and cure for this virus can be found online at the Network Associates McAfee AVERT site (now McAfee Threat Center). Users of McAfee Security anti-virus products should update their systems from that page and use the 4325 or later scanning engine to stop potential damage.