Netsky.P

G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.perform_maintain (More info?)

I need some info:
I keep getting this re-occurring message: eTrust EZ Antivirus real-time
protection has found that C:\DOCUME~1\Bruce\LOCALS~1\Temp\avg61.tmp is
Win32.Netsky.P Worm
Why does this keep coming back, I keep deleting it. I think it coming in
through outlook Express. Not positive though.
Thanks Bruce
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.perform_maintain (More info?)

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html
http://www.srnmicro.com/virusinfo/netsky-p.htm
http://www.pestpatrol.com/pestinfo/w/win32_netsky_p_worm.asp

regards,
aag MS-MVP

Bruce Lawrence wrote:
> I need some info:
> I keep getting this re-occurring message: eTrust EZ Antivirus real-time
> protection has found that C:\DOCUME~1\Bruce\LOCALS~1\Temp\avg61.tmp is
> Win32.Netsky.P Worm
> Why does this keep coming back, I keep deleting it. I think it coming in
> through outlook Express. Not positive though.
> Thanks Bruce
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.perform_maintain (More info?)

All those News groups and you missed the *MOST* relevent News Groups...
There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) Disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot the infected PC into Safe Mode
3) Using Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart the infected PC and perform a "final" Full Scan of your platform
5) Re-enable System Restore and re-apply any System Restore preferences,
(e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot the PC.
7) Create a new Restore point


* * * Please report back your results * * *

Dave


"Bruce Lawrence" <blawrence@shaw.ca> wrote in message
news:OaIR7bL3EHA.1452@TK2MSFTNGP11.phx.gbl...
| I need some info:
| I keep getting this re-occurring message: eTrust EZ Antivirus real-time
| protection has found that C:\DOCUME~1\Bruce\LOCALS~1\Temp\avg61.tmp is
| Win32.Netsky.P Worm
| Why does this keep coming back, I keep deleting it. I think it coming in
| through outlook Express. Not positive though.
| Thanks Bruce
|
|
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsxp.configuration_manage,microsoft.public.windowsxp.general,microsoft.public.windowsxp.perform_maintain (More info?)

On Tue, 7 Dec 2004 16:46:42 -0700, "Bruce Lawrence"

>I keep getting this re-occurring message: eTrust EZ Antivirus real-time
>protection has found that C:\DOCUME~1\Bruce\LOCALS~1\Temp\avg61.tmp is
>Win32.Netsky.P Worm
>Why does this keep coming back, I keep deleting it. I think it coming in
>through outlook Express. Not positive though.

Most email applications, OE included, store attachments within the
mailboxes, where av (antivirus) software can't clean them, and usually
can't detect them either.

If malware exploits defects in the email application's way of
displaying messages, it can launch itself whenever the message is
(pre-)viewed. Hopefully the av will catch it each time, as the
malware creates itself as a file; if it misses, you're "owned".

OE and Outlook use IE's HTML rendering engine to display HTML "message
text", and this facilitates attack if this engine isn't patched
against a hole that the malware exploits. Two recent potential
defects that have only recently been fixed are:
- malformed JPEG (slippery to patch; SP2 OK)
- IFrame and related HTML attacks (SP2 OK, else patch)

The last is nasty, because ITW (In The Wild) malware has been banging
away at that all month, before it was patched December 2004.


I'd manage this issue as follows:
- stop OE from displaying message text as preview
- first, formally scan and clean the PC (easier on FATxx)
- then patch whatever defects as may exist in IE / OE
- then install Eudora, set to NOT us MS viewer, import mail
- scan the attachment files Eudora spat out during import
- track the bad files to corresponding messages in OE
- delete those messages, and again from Trash, in OE
- compact mailboxes in OE
- purge System Restore, and create a new Restore point
- consider staying with Eudora instead (safer, easier to clean)

The above approach leverages the fact that:
- Eudora can be set not to use IE's HTML engine
- Eudora doesn't run scripts etc. in "message text"
- Eudora doesn't hide attachments in mailboxes

Once you scan and clean the attachments that Eudora spits out as the
message comes in, there's nothing further to be done (unless SR is
polluted, of course). All links to the file from Eudora will point to
the file that was cleaned, so the risk has gone away.

See http://cquirke.mvps.org/9x/empath.htm for the details


>-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"
>----------------------- ------ ---- --- -- - - - -