Netsky Worm Fix!! - GoFuckYourself.com

Jeff aka NIGHTfall · 04-19-2004, 02:04 PM

THE FIX IS HERE

Please download and scan your computer even If you do not think you are infected, many people are and never had a clue, many of us GFY members and other forum surfers.

Quote:

Name: Win32.Netsky.D@mm
Aliases: W32/Netsky.d@MM
Type: Mass Mailer
Size: 17424 bytes (packed)
Detected: 1. March 2004
In the wild: Yes

Symptoms
Presence of the following file in hahahahahahas directory (%WINDIR%)
winlogon.exe

Presence of the following entry in HKLM\\Software\\Microsoft\\hahahahahahas\\CurrentV ersion\\Run registry key:
ICQ Net = winlogon.exe -stealth

Technical description
This variant of the NetSky worm (.D) spreads only via e-mail (in contrast
with previous versions, which spread through some P2P applications as well),
sending itself to e-mail addresses found in the infected computer.

The worm arrives in the following e-mail format:

Subject - randomly chosen from the following strings:
Re: Re: hahahahahahahaha
Re: Re: Thanks!
Re: Thanks!
Re: Your hahahahahahahaha
Re: Here is the hahahahahahahaha
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your hahahahahahahaha
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

Body - randomly chosen from the following strings:
Your hahahahahahahaha is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file.
Please read the attached file.
Your file is attached.

Attached filename (and extension) - randomly chosen from the following strings:
your_hahahahahahahaha.pif
your_hahahahahahahaha.pif
hahahahahahahaha.pif
message_part2.pif
your_hahahahahahahaha.pif
hahahahahahahaha_full.pif
your_picture.pif
message_details.pif
your_file.pif
your_picture.pif
hahahahahahahaha_4351.pif
yours.pif
mp3music.pif
application.pif
all_hahahahahahahaha.pif
my_details.pif
hahahahahahahaha_excel.pif
hahahahahahahaha_word.pif
my_details.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

When the user double-clicks the e-mail attachment, the worm does the following:

- copies itself to hahahahahahas directory (%WINDIR%) as winlogon.exe;

- adds the following entry to HKLM\\Software\\Microsoft\\hahahahahahas\\CurrentV ersion\\Run
registry key:
ICQ net = winlogon.exe -stealth,
(so it will be hahahahahahahad each time hahahahahahas starts up);

- disables some antivirus software and other known worms (such as Win32.Mydoom.A@mm
and Win32.Mydoom.B@mm) by deleting relevant registry keys;

- scans the infected computers for e-mail addresses in files whose extension
is one of the following:
.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm

- creates and sends e-mails to these addresses with the above described format:

- On 01 mar. 2004, between 6:00 and 9:00 am (local time, not GMT) the worm
generates in the computers speaker sounds with random tones and durations.

This variant (.D) uses an improved routine for sending itself through
e-mail, allowing it to be sent several times faster than previous
variants (.A - .C).

The worm avoids sending itself to addresses containing at least one of
the following strings:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
messagelabs
skynet

SlickCash Brock · 04-19-2004, 02:21 PM

I have had a problem before with removal tools and hahahahahahas xp pro. You may have to turn off your system restore. XP tends to back up the virus and it reinstalls itself on boot up

mammy · 04-19-2004, 11:11 PM

thanx for the link checking now
i had other worm attack on weekend
lost os and all soft

matty · 04-19-2004, 11:11 PM

thanks man, i didnt have it though

Doctor Dre · 04-20-2004, 03:08 PM

Scanning right now

Tala · 04-20-2004, 03:12 PM

Did this yesterday when I found the thread. Thanks Jeff.

Jeff aka NIGHTfall · 04-21-2004, 10:43 AM

np hun

Sosa · 04-21-2004, 11:04 AM

I was actually just removing this virus from a computer.
Nice link

04-19-2004, 02:21 PM	#2
SlickCash Brock Confirmed User Join Date: Apr 2004 Location: Toronto Posts: 935	I have had a problem before with removal tools and hahahahahahas xp pro. You may have to turn off your system restore. XP tends to back up the virus and it reinstalls itself on boot up __________________ [email protected] E-mail [email protected] ICQ# 315 496 668

04-19-2004, 11:11 PM	#3
mammy Confirmed User Join Date: Jun 2003 Posts: 2,279	thanx for the link checking now i had other worm attack on weekend lost os and all soft __________________ million dollars for paysite design icq 434954667

04-19-2004, 11:11 PM	#4
matty Mining for Porn! Industry Role: Join Date: Aug 2002 Location: New Haven CT Posts: 1,328	thanks man, i didnt have it though __________________ Want to accept Bitcoin (BTC) on your site without any issues? I modestly estimate a 15%-20% boost in conversions. Projects Like These Cost Big $$$, Please Donate: 112BNRe8WiooVBTqDFSLzjBo6Ve1LunViN

04-20-2004, 03:12 PM	#6
Tala Fucked if I know Join Date: Dec 2002 Location: Do you have a flag? Posts: 23,368	Did this yesterday when I found the thread. Thanks Jeff. __________________ ICQ: 11120676 \| Google: mindcrime \| Skype: suitemindcrime\|E-Mail: mindcrime AT gmail.com\|PR girl with great writing skills for hire!!!! Contact me to work for YOU!\|TECHIEMEDIA? 24/7 support from some of the best techs in the biz. Tell Jim that I sent you.

04-21-2004, 10:43 AM	#7
Jeff aka NIGHTfall Confirmed User Join Date: Oct 2003 Location: Port St. Lucie, Florida Posts: 5,162	np hun __________________ Register Now For PimpinPays.com

04-21-2004, 11:04 AM	#8
Sosa In Tushy Land Join Date: Oct 2002 Location: Nebraska Posts: 40,149	I was actually just removing this virus from a computer. Nice link