Asp read file

With a name that sounds a bit like "pesky", a new virus is proving to be more than just a pest for Windows and peer-to-peer filter sharing application users around the world.

W32/Netsky.B-mm, also known as I-worm.Moodown.b, was discovered on Wednesday Feb 18th, and like Bagle.B the day before, spread rapidly. Initially affecting Japan and Germany, it had spread world wide by Thursday. According to TrendMicro's figures, by 5pm (EST) Thursday Netsky.b was in the top 10 viruses on every continent except Australia. Netsky.B spreads through both email, and peer to peer file-sharing. It will infect mapped network drives, but does not scan for open shared drives. Symantec raised its severity rating to a 4 (of 5) on Thursday as well. By midday Friday, e-mail security company MessageLabs reported intercepting 300,000+ copies of Netsky.B, making it their top threat of the day. The virus was first captured by MessageLabs on Tuesday and originated in New Zealand.

The virus infects standalone machines when an infected e-mail attachment or shared file is run. It affects Windows 9x/Me/NT/2000/XP systems The worm does not have any vulnerability exploits, and cannot automatically run and infect. If you use peer-to-peer file-sharing networks, you should get the latest updates to your antivirus program, and not run or open any files you're not familiar with. See below for a list of files that have been found to be copies of the virus.

The Netsky.b infected email message arrives with a spoofed "From" address, harvested from another infected user's PC, and could appear to be from someone you know. The subject is randomly selected from the following:

fake hello hi information read it immediately something for you stolen unknown warning

The body of the message randomly contains one of the following: about me anything ok? do you? from the chatter greetings here here is the document. here it is here, the cheats here, the introduction here, the serials i found this document about you I have your password! i hope it is not true! i wait for a reply! i'm waiting information about you is that from you? is that true? is that your account? is that your name? kill the writer of this document! misc my hero ok read it immediately! read the details. reply see you something about you! something is fool something is going wrong something is going wrong! stuff about you? take it easy that is bad that's funny thats wrong what does it mean? why? yes, really? you are a bad writer you are bad you earn money you feel the same you try to steal your name is wrong

Netsky.B includes a double extension attachment, that according to Symantec, is named one of the following approximately 50% of the time:

document msg doc talk message creditcard details attachment me stuff posting textfile concert information note bill swimmingpool product topseller ps shower aboutyou nomoney found story mails website friend jokes location final release dinner ranking object mail2 part2 disco party misc

The attachment may have one of the following as the first extension, .txt, .rtf, .htm, or.doc, and the executable second extension will be .exe, .com, .scr, or .pif.

When Netsky.B starts, it first checks for a Mutex "AdmSkynetJklS003", which it uses to detect if the virus is already running. If it's not, the virus executes. When Netsky.b runs the first time, it displays a bogus error message "The file could not be opened!". It puts a copy of itself into the main Windows folder (either C:\windows or C:\winnt) with the file name "services.exe", and adds the following registry key and value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "service" = "%Windir%\services.exe -serv"

According to McAfee, it may also add the value Services.exe to the key:

HKEY_CURRENT_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

This allows Netsky.B to run every time the system is started. The "–serv" switch tells the virus not to display the fake error message again. It then attempts to remove any infections of MyDoom.A, MyDoom.B and Mimail.T, by deleting files and registry entries associated with these viruses. Netsky.b then searches the victim's hard drive for files with the extensions msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt or .eml. and extracts e-mail addresses. Netsky uses its own SMTP engine to send copies of itself to the names found on the victim's machine, and uses the subject and message content noted above.

It then searches drives C: through Z: looking for folders with names containing "Share" or "Sharing" that are associated with file-sharing services such as Kazaa. Once found, it puts copies of itself in the folder and sub folders using the following names that entice unsuspecting file swappers to open.

angels.pif cool screensaver.scr dictionary.doc.exe dolly_buster.jpg.pif doom2.doc.pif e.book.doc.exe e-book.archive.doc.exe eminem - lick my pussy.mp3.pif hardcore porn.jpg.exe matrix.scr max payne 2.crack.exe nero.7.exe how to hack.doc.exe office_crack.exe photoshop 9 crack.exe porno.scr programming basics.doc.exe rfc compilation.doc.exe serial.txt.exe sex sex sex sex.doc.exe strippoker.exe virii.scr win longhorn.doc.exe winxp_crack.exe

According to Kaspersky, Netsky.b also makes a number of copies of itself with a .ZIP extension and the following names:

document msg doc talk message creditcard details attachment me stuff posting textfile concert information note bill swimmingpool product topseller ps shower Aboutyou nomoney found story mails website friend jokes location final release dinner ranking object mail2 part2 disco party misc #n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!

Fact File

Virus name: W32/Netsky.B-mm, W32.Netsky.b@mm, I-worm.Moodown.b, moodown.b, W32/Netsky@mm Type of virus: Windows 32 executable Executable size: 22,016 bytes Date Discovered: February 18th, 2004 Systems affected: Windows 9x/me/NT/2000/XP Systems not affected: DOS, Windows 3.x, Linux, Mac, OS/2, Unix Message parameters (listed above)

Preventing and removing W32/Netsky.B-mm

Preventing Netsky.B infection is simple—don't open attachments on e-mail, and be very careful of files swapped on file-sharing services. All antivirus vendors have new pattern files that detect the virus, so get your AV program updated ASAP.

Removing W32/Netsky.B is easiest using an antivirus program, or you can download a removal program from Symantec, or use online scanning utilities from Trendmicro, Mcafee Stinger or Panda Software.

To remove W32/Netsky.b-mm manually,

1. Disable System Restore if you're using Windows ME or XP. When you make changes to your system, Windows does a restoration checkpoint. If it does this while the system is infected, it may come back to re-infect later.

2. Restart the computer in Safe Mode. Since W32/Netsky.B creates running processes, and Windows doesn't allow you to delete files connected with running processes, restarting is necessary. Using Safe mode prevents Windows from loading drivers and auto run entries so your system boots relatively clean.

3. Run a full system scan with an updated Antivirus scanner (or one of online scanners mentioned above). If your scanner gives you the option, also scan mapped drives to find any copies left in Shared folders. If your scanner does not remove everything, follow the next few steps.

4. Your antivirus software should, during detection, produce a list of files associated with the Netsky.B or Moodoom.b virus (depends on scanner). Delete all these files. The files will typically be in the Windows system folder, the location of which depends on which version of Windows you're running. You will also have to delete any files in the Shared folders on mapped drives.

5. IMPORTANT: Delete the services.exe file from the Windows folder only (C:\Windows or C:\Winnt). DO NOT DELETE SERVICES.EXE from the Windows\System folder (C:\Windows\system, C:\windows\system32, or C:\Winnt\system32) , THIS IS A LEGITIMATE WINDOWS FILE.

6. Make a backup of the registry [[Link: http://support.microsoft.com/default.aspx?scid=kb;en-us;322756 ]] before you edit. Delete the Run entries associated with Netsky.B from the registry. These will be either flagged by the antivirus program, or you can go directly to the keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and delete the value:

"service" = "%Windir%\services.exe -serv"

Also delete this key if it exists: