Aliases
Win32/Netsky.P, WORM_NETSKY.GEN
Type
Win32 worm
Description
W32/Netsky-O is a worm that spreads via email.
In order to run automatically when Windors boots up the worm copies itself to the file AVBgle.exe in the Windows folder and sets the following registry entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MsInfo
= C:\Windows\AVBgle.exe.
The worm attempts to disable various anti-virus and security-related applications by deleting registry entries used by them.
In particular it attempts to delete entries below
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
for Taskmon, Explorer, KasperskyAv, system., msgsvr32, DELETE ME,
service, Sentry, Windows Service Host
and below HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
for Taskmon, Explorer, KasperskyAv, d3dupdate.exe, au.exe, OLE,
Windows Service Host, gouday.exe, rate.exe, sysmon.exe, srate.exe
and ssate.exe.
More: http://www.sophos.com/virusinfo/analyses/w32netskyo.html
Date Discovered: 3/17/2004
Date Added: 3/17/2004
Origin: Unknown
Length: 16,384 bytes
Type: Virus
SubType: E-mail worm
A new variant of W32/Netsky@MM has been received which spreads through email like its predecessors.
Mail Propagation
The virus may arrive in an email message as follows:
From: (address is spoofed and is obtained from the infected system)
Subject:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Body:
More: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101103

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic