Topic: Re: My Details ??

[DJ]

:hi:

I had 15 (yes 15) emails this morning from someone I don't know with the following heading..

Re: My Details

They also had the attachment my_details.pif but the firewall renamed this to my_details.pif.safe

I take it that its a virus? Just wondering which one.  

My AVG is bang up to date this morning - so I'll do a full virus scan to be sure I'm safe.

DJ

[Sandra]

Hi DJ, it looks like its the So Big virus at it again  

See here :

http://www.austincc.edu/andreac/SobigFvirus

[DJ]

Thanks.

I deleted them straight away - so hopefully it didn't have time to do any damage.

I did a full scan and it found a  I-Worm/Netsky.D virus in the D:\RECYCLED\DD1~1.SAF

It was unable to move or delete this file.

But looking in the D:\Recylced theres nothing there?  Is there fix to get rid of this virus?

DJ

[Clive]

It could also be W32/Netsky-D which came out today.  That could explain why your virus checker failed to pick it up DJ.


W32/Netsky-D
Aliases
W32/Netsky.c@MM
 
Type
Win32 worm
 
Sophos has received many reports of this worm from the wild.
 
 
Description
W32/Netsky-D is a worm that spreads via email.
W32/Netsky-D may arrive in an email with the following characteristics:
Subject line: chosen from -
Re: Approved
Re: Details
Re: Document
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website

Message text: chosen from -
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.

Attached file: chosen from -
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_picture.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif

When first run W32/Netsky-D creates the following registry entry, so that winlogon.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ICQNet
= <WINDOWS>\winlogon.exe -stealth
 
 
Recovery
Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
ICQNet = <WINDOWS>\winlogon.exe -stealth

and delete it if it exists.

Close the registry editor.
 

[DJ]

Thanks Clive,

That key did exist in the registry so I deleted it.  Did another full AVG scan and now theirs no more viruses (or should that be viri??   )

Thanks again - I'm virus free - for now  

DJ

[Simon]

My Norton updated as soon as I logged on this afternoon, so I assume that must have been for Netsky-D.  More info, removal instructions (using Norton AV), and Registry Key info from here.

[TR]

For the last 2 days AVG has updated 2wice a day, must be some rum goings on out there in virus land  

[Clive]

You were very unlucky to get a dose of that before the antidote became available DJ.  But I suppose some people have to catch these viruses first so that the antivirus companies can work out a solution to protect the rest of us.  

[DJ]

But I suppose some people have to catch these viruses first so that the antivirus companies can work out a solution to protect the rest of us.  

At least I was useful for once!  

DJ

[Dogsbody]

Hi peeps
For the 1st time ever my Norton has kicked in saying I,ve been viried (is that a word, maybe it should be if it isn't) with Netsky, don't know whether I've been lucky over the last few years but now know AV is worth the cash. By the way this is one of the best sites I visit (even though I don't contribute much, could be cos i don't know a lot )but I will be watching and waiting for the day someone asks a question for which I know the answer  

[Simon]

There's plenty of other areas you could contribute to on the site, DB.  Many of us are by no means computer experts, but we still find something to say!  

[Adept]

Yesterday was a bad day for NetSky. At work we received at least 100 of the little buggers. Luckily our anti-virus caught them all.

All from people who can't be bothered to update their patches and A/V program I bet

[Camstop]

I got it last night too but with Nortons doing two auto-updates per day at the moment it was picked up for me to delete... 8)

And i just ran the fix tool from symantec just in case.

[Michelle]

Okay I'm confused now ............  


I've been updating and checkin like mad cos I'm being sent loads of viruses! But I was sure I'd not opened a thing.

Now AVG said it found one but it didn't remove it, its still on my drive ? Why didn't it remove it?

I saw something about how to remove something recently thought it was this thread ..  but anyway I didn't understand it all. (sob)

Or would it be cos I had unread emails and its there? oh no cos it wouldn't be on my drive then would it. (thicko_)

Oh and I still have ME I noticed something was different on the removal that someone gave.

I really must upgrade!!!

Please what do I do Guys ?  

[Lona]

I think this might be what your are looking for Michelle.

http://enterprisesecurity.symantec.com/article.cfm?articleid=2420