WORM_NETSKY.P is a new, destructive variant of the NETSKY worm that propagates via email, using its own Simple Mail Transfer Protocol (SMTP) engine, and via shared folders. This worm exploits a known vulnerability within Internet Explorer that allows email attachments to be automatically executed, while email is being read or previewed. This memory-resident worm runs on Windows 95, 98, ME, NT, 2000, and XP. Upon execution it creates two files in the Windows folder, and drops several files in the Windows folder. It also creates a registry entry that allows it to automatically execute at every Window startup. This worm propagates via email using its own SMTP engine, and sends email with any of 33 or more possible variations in Subject, Message Body, and Attachment name. The attachment may also have a double extension that combines either .txt or .doc with .pif, .exe, and .scr, a long number of space in between the two extensions, or may arrive in a ZIP file with random characters. This worm gathers target email addresses from files with the following extensions, which it looks for in drives C to Z (except the CD-ROM drive): ADB ASP CGI DBX DHTM DOC EML HTM HTML JSP MSG OFT PHP PL RTF SHT SHTM TBB TXT UIN VBS WAB WSH XML It avoids sending email messages to addresses, which contain the following strings: @antivi @avp @bitdefender @fbi @f-pro @freeav @f-secur @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@ This worm deletes several autorun registry entries in an attempt to prevent the automatic execution of BAGLE, NACHI, MYDOOM, and DEADHAT worms. It also deletes certain registry keys. To read more about the Microsoft Internet Explorer vulnerability, please visit http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx If you would like to scan your computer for WORM_NETSKY.P or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com WORM_NETSKY.P is detected and cleaned by Trend Micro pattern file #832 and above.