Netsky.C is a pain

[GM]

Is anyone else out there getting bombarded with Netsky.C virus emails? I get 3-5 of these a day, as does pretty much everyone I know. I am 99.9% sure the virus is not on my machine. I've got Norton AV 2004 and Norton Security (firewall), and it catches all of these things.

Still, I was skeptical as to whether or not it was actually originating from my machine. However, I have run the fix / remove tools from both Norton and McAfee, following the directions to the letter (including disabling System Restore and re-enabling it when I was supposed to). Both turned up nothing on my computer.

I suspect that someone who has me in their address book has the virus and is unaware of it. I've asked everybody and they all claim they "think" their computer is clean, but I am sure it is very possible to have it and not know it. I also understand this virus has it's own engine for sending outgoing email, so when it spoofs others' addresses the outgoing mail would never show up in the outbox. Numerous email have been sent out to strangers from ~some computer~ (not mine) with my email address spoofed as the sender, and I'm guessing my address being in their address book is the reason.

A couple questions for KMA or anyone else who may be knowledgeable about this:

1) Is it possible for someone running Windows 98 to have and spread this virus? At first I was told No, but I have my doubts. I have Windows XP, but almost everyone else I know (whose address book I would be in) runs 98. Knowing it's NOT possible for them to have/spread it would eliminate a lot of people.

2) Is there any way to stop these things from arriving in my mailbox? While they aren't doing any damage, they are a pain in the ass.

3) If the person with the infected computer removes me from their address book and deletes all of their old email, will this stop the email spoofing of my address? As I understand it the virus picks addresses at random which are in the email program... so it would seem to me this would at least clear up some of the problem, for me at least.

These viruses also appear only in my regular email addresses, never in my web-based email such as Hotmail and Yahoo.

Thanks in advance for your help.

 

[Captain Crunch]

Include me in the club. Some days I get 10-15, but fortunately, my Roadrunner ISP removes them before they get to my computer. Some of them are from a slight variation of my email addy which seems kind of strange. I don't know much about these things, but I have also done virus scans and have come up empty. All I do is delete them as I don't know what else to do. They always seem to come from a different address each time.

Good Luck

 

[bubbas1]

I had the same problem. It got so bad I was going to change e-mail addresses. Here is what I did.

Right click on the message in the "From Subject Recieved" section. Hope that makes sense.

Click on properties

Click on details

You will then be able to see the "return path". Thats who it came from. Take note of the isp.

Copy the whole section and send it to abuse@"whatever the isp was in the return path" dot com.

Explain breifly what is happening.

Do not send it to your isp unless the message is coming from there. They cant do anything about it.

It took about a week of sending the e-mails back to the return path isp before it came to a stop. Come to find out it was coming from someone I didnt even know and they had no idea they had a virus. There isp told me that they contacted them about the problem and if it wasnt fixed they would shut down there account.

This completely took care of the problem.

One more thing...do this for every e-mail you get that contained the virus.

 

[GM]

bubbas1,

We received three more of these today, and while the return path was different in all three, the first part of the routing was the same in all of them: (Kap-Cable83.onlink.net [209.105.197.118]). They're coming from an ISP in Northern Ontario somewhere (Kapuskasing, Ontario I am guessing, due to the "Kap" part). I don't know anyone in Kapuskasing. :shrug: I've alerted their abuse account with the headers forwarded...so now we'll see if they take some action.

Thanks for pointing this out!

Here are the message headers.... with xxxxx's replacing legit addresses to protect the innocent. "mmm@mmm.ca" indicates my address, replaced.

Return-Path: <xxxxx@san.rr.com>
X-Original-To: mmm@mmm.ca
Delivered-To: mmm@mmm.ca
Received: from mmm.ca (Kap-Cable83.onlink.net [209.105.197.118])
by fep2.mmm.net (Postfix) with ESMTP id CE9681DD2
for <mmm@mmm.ca>; Mon, 7 Jun 2004 14:50:34 -0400 (EDT)
From: xxxxx@san.rr.com
To: mmm@mmm.ca
Subject: report
Date: Mon, 7 Jun 2004 14:50:58 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_000012DB.000020C2"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040607185034.CE9681DD2@fep2.cogeco.net>
X-NAS-Bayes: #0: 0.0668003; #1: 0.9332
X-NAS-Classification: 0
X-NAS-MessageID: 572
X-NAS-Validation: {23159553-E766-4A81-B785-8A66A699E0A8}


Return-Path: <xxxxx@ca.fournierpharma.com>
X-Original-To: mmm@mmm.ca
Delivered-To: mmm@mmm.ca
Received: from mmm.ca (Kap-Cable83.onlink.net [209.105.197.118])
by fep2.mmm.net (Postfix) with ESMTP id 0BAB6100C
for <mmm@mmm.ca>; Mon, 7 Jun 2004 15:56:24 -0400 (EDT)
From: xxxxx@ca.fournierpharma.com
To: mmm@mmm.ca
Subject: test it
Date: Mon, 7 Jun 2004 15:56:57 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0002_000048E0.00007773"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040607195625.0BAB6100C@fep2.cogeco.net>
X-NAS-Bayes: #0: 0.000826259; #1: 0.999174
X-NAS-Classification: 0
X-NAS-MessageID: 573
X-NAS-Validation: {23159553-E766-4A81-B785-8A66A699E0A8}


Return-Path: <xxxxx@hotmail.com>
X-Original-To: mmm@mmm.ca
Delivered-To: mmm@mmm.ca
Received: from mmm.ca (Kap-Cable83.onlink.net [209.105.197.118])
by fep4.mmm.net (Postfix) with ESMTP id C8A4FA1F
for <mmm@mmm.ca>; Mon, 7 Jun 2004 15:44:19 -0400 (EDT)
From: xxxxx@hotmail.com
To: mmm@mmm.ca
Subject: something for you
Date: Mon, 7 Jun 2004 15:44:45 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_000039CF.00006C2B"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040607194419.C8A4FA1F@fep4.cogeco.net>
X-NAS-Classification: 0
X-NAS-MessageID: 571
X-NAS-Validation: {23159553-E766-4A81-B785-8A66A699E0A8}

 

[KMA]

Did you do a manual removal and restart in Safe Mode GM??? And did you delete it from the Registry??? I can walk yah through it if not, I'll check later and see if you responded. I don't have time to leave all the instructions right now but I will later. It's a pretty nasty piece of work. It's been around since the middle of March. The E-mail headers will give the details of the path that the e-mail took from the originators computer to yours, BUT most mailers are often able to hide their idenity, the e-mail return address is easy to fake. It would probably be a good idea for you to disable your programs preview pane.

 

[GM]

KMA -

No, I did not restart in safe mode or edit the registry. I've run the registry editor before but backed off because I was in over my head and had no idea what I was doing. But I ran the fix tool 3 times from Norton, following the instructions (disabling System Restore), and also ran the fix tool from McAfee once. Never did it detect anything on my system. Neither site said anything about altering the registry. :shrug:

Both sites mentioned it would put a file called "winlogon.exe" in any directory on your computer with the string "shar" in it. I did a search for "winlogon" and DID find a file by this name in the Windows directory. However the site also said that there would be a legit file by this name in this directory and that file should not be deleted. It's the only file by this name that I was able to locate on my computer.

 

[GM]

I took a look around the registry. I'm still pretty sure I don't actually have this worm residing on my computer. Check out Norton's Netsky page:

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.c@mm.html

Scroll down to technical details. I can't check all of this stuff, but of what I could check...

Point #3 - There is no "ICQ Net" value on my machine in the file folder it mentions.

Point #15 - I tried setting the date and time on my computer to the date and time mentioned, and the computer made no sounds at all. I fiddled with it a bit too...set it for 6:15am, 7:30am, etc., waited a few minutes, heard nothing.

So I'm inclined to believe I don't have the worm. Correct?

 

[KMA]

Manual Removal:

1-Disable System Restore (WindowsXP).
2-Update the virus definitions.
3-Restart your computer in Safe Mode.
4-Run a FULL system scan and delete all the files detected as W32.Netsky.C@mm.
5-Delete the value that was added to the registry.


Disabling your System Restore:
Temporarily turn off your System Restore. Windows XP uses this featureto restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows won't let outside programs including antivirus programs from modifying System Restore. Soantivirus programs or tools can't remove threats in the System Restore folder. That's why System Restore has the potential of restoring an infected file on your computer even after you have cleaned the infected files from all the other locations.

A virus scan may detect a threat in the System Restore folder even though you have removed the threat. So, try turning off system restore.

Turning off System Restore:

Click Start
Programs
Accessories
Windows Explorer
Right-click My Computer
Cclick Properties
Click the System Restore tab
Check the "Turn off System Restore" or "Turn off System Restore on all drives" in the message box.
Click Apply

Then you'll gt another message box that will come up asking if yah want to turn off the system restore
Click yes
Click OK.
Restart the computer
THEN try remopving viruses

THEN:

Restart your computer in Safe Mode:

Shut down the computer and turn off the power. Wait for at least 60 seconds and then restart the computer in Safe Mode.

When yah start yp in safe mode, your programs and desktop are goning to look different because when yah start in safe mode only the programs you need to run your operating system will started so don't freak out over it.


There are 2 ways to start in safe mode:


Either through the System Configuration Utility:

If you try the System Configuration Utility and cannot start its dialog box, use the F8 key instead. IF the System Configuration Utility method is not listed for your operating system, the utility is not available in that operating system.

OR

F8 key:
Using the F8 key can be harder than using the System Configuration Utility because you have press the F8 key at JUST the right time. If the F8 method does not work, repeat the steps, but press the F8 key more quickly, or press it several times. If yah can't get the F8 key to work after trying to get the timing right, use the System Configuration Utility method instead.


THEN you want to run a FULL SYSTEM scan. Start your virus protection and run the scan.
Delete the files that comes up with the virus.

 

[KMA]

I have to break up these messages, it's too much to post in one reply.

As far as winlogon.exe:

You will nott be able to delete it, unless it is not loaded and since it loads automatically at startup this would be paradoxical, like someone trying to remove and roll up the rug on that someone is standing without falling down during the process.

You would be better off removing the malware which has attached itself to the winlogon executable. and youll probably have to run the anti-virus scan in safe mode to do it.

 

[KMA]

I'll post this in case youn want to give this a try.

Disabling preview panel:

The safest way to view your email is to turn the preview pane off, so only those messages you deliberately open are displayed. To turn the preview pane off:

Outlook Express:
Click View Menu
Layout and remove the checkmark beside Show Preview Pane.

Outlook 2000/XP:
Click View Menu
Preview Pane.

Outlook 2003:
Click View Menu
Reading Pane
Off.


Netscape:
Click View Menu
Show/Hide
Message Pane.

 

[GM]

Update...

Update...

bubbas1,

Your advice worked. Though it took the ISP 2-3 days to get back to me, they finally acknowledged my email and told me they were contacting the customer in question. The virus spams continued for maybe one more day, then stopped. I haven't received any now for about 5 days. Which is great because I was getting 3 to 5 of them every day for at least two months.

KMA,

Thanks for taking the time to try to help. As I said, I am quite sure the virus never took hold on my computer. It was sent to me numerous times but Norton caught it and alerted me every time. Everything's working fine here now.

 

[bubbas1]

Glad everything worked out for you.