firewallsvr.exe - Dangerous
firewallsvr.exe
Jeff's Story:
My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.
I sought a solution on the Internet and discovered your product and tried out the trial.
You quickly found the rootkit and SAVED my PC!
I haven't had any problems since, and I'm extremely grateful.
Manual removal instructions:
Also Known As: W32/Netsky.y@MM [McAfee], WORM_NETSKY.Y [Trend], Win32.Netsky.Y [Computer Associates], W32/Netsky-X [Sophos]
Copies itself as %Windir%\FirewallSvr.exe.
Adds the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Listens on TCP port 82 for an attacker to send an executable file, and then run it.
If the system date is between April 28, 2004 and April 30, 2004,
the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites: www.nibis.de; www.medinfo.ufl.edu; www.educa.ch
Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
From: (spoofed)
Subject: Delivery failure notice (ID-
Message:
--- Mail Part Delivered ---
220 Welcome to
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.
Exim Status OK.
where
New
Partial
External
Delivered
Attachment: www.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"