firewallsvr.exe - Dangerous
firewallsvr.exe
Manual removal instructions:
Antivirus Report of firewallsvr.exe:
firewallsvr.exe
W32.Netsky.Y@mm is a variant of W32.Netsky.X@mm that scans for the email addresses on all non-CD-ROM drives on an infected computer.
Also Known As: W32/Netsky.y@MM [McAfee], WORM_NETSKY.Y [Trend], Win32.Netsky.Y [Computer Associates], W32/Netsky-X [Sophos]
Copies itself as %Windir%\FirewallSvr.exe.
Adds the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Listens on TCP port 82 for an attacker to send an executable file, and then run it.
If the system date is between April 28, 2004 and April 30, 2004,
the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites: www.nibis.de; www.medinfo.ufl.edu; www.educa.ch
Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
From: (spoofed)
Subject: Delivery failure notice (ID-)
Message:
--- Mail Part Delivered ---
220 Welcome to
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.
Exim Status OK.
message is available.
where may be one of:
New
Partial
External
Delivered
Attachment: www...session-.com
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
| firewallsvr.exe | Malware |
| firewallsvr.exe | Dangerous |
| firewallsvr.exe | High Risk |
Also Known As: W32/Netsky.y@MM [McAfee], WORM_NETSKY.Y [Trend], Win32.Netsky.Y [Computer Associates], W32/Netsky-X [Sophos]
Copies itself as %Windir%\FirewallSvr.exe.
Adds the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Listens on TCP port 82 for an attacker to send an executable file, and then run it.
If the system date is between April 28, 2004 and April 30, 2004,
the worm will attempt to perform Denial of Service (DoS) attack against the following Web sites: www.nibis.de; www.medinfo.ufl.edu; www.educa.ch
Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds.
The email has the following characteristics:
From: (spoofed)
Subject: Delivery failure notice (ID-
Message:
--- Mail Part Delivered ---
220 Welcome to
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.
Exim Status OK.
where
New
Partial
External
Delivered
Attachment: www.
Manual removal:
Navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and delete the value: "FirewallSvr"="%Windir%\FirewallSvr.exe"
Dmitry Sokolov:
I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.
Since that time I work every day to fix the issues that antiviruses cannot.
If your antivirus have not helped you solve the problem, you should try UnHackMe.
We are a small company and you can ask me directly, if you have any questions.