From: Mail Delivery System [mailto:MAILER-DAEMON@ironport3.[censored]]
Posted At: 14 ianuarie 2009 09:42
Posted To: [censored]
Conversation: ironport3.[censored] Virus infected message detected
Subject: ironport3.[censored] Virus infected message detected

Message Headers:
From: 69e1eacc2b085@www.casmb.ro
To: [censored]
Subject: Hello
Date: Wed, 14 Jan 2009 10:29:47 +0200
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0013_0000421B.000026D7"
X-Priority: 1
X-MSMail-Priority: High

What you can see above is the warning message provided by the firewall protecting an e-mail server. It basically tells you that a virus (in our case a worm) tried to send you an e-mail with malicious content. The one you can see right here was given by an ironport platform which caught a message sent by the W32/Netsky-AE worm, one that uses a smtp engine of its own to spread over the e-mail by sending itself to everyone that’s in the infected PC’s contact list.
It’s quite easy to remove though by using a basic tool, the NTSKYGUI by Sophos. Just run it, easy.
Now the worm part is over and the ranting in Romanian part begins…

Mesajul a fost trimis de pe un domeniu al casmb, mai precis de pe o adresa apartinand departamentului contabil sau de resurse umane al lor. Hai frate, cum sa ne asteptam sa mearga ceva bine in tara asta cand nici macar institutiile statului nu au cea mai mica protectie anti-virus? E posibil ca un departament contabil care ar trebui sa fie minim eficient sa trimita worms la toata lista de contacte? Raspunsul, trist, se pare ca e DA. Iar in timp ce tot sistemul informatic al statului merge ca un fund, contractele pentru bazele informatice se acorda unor companii care e evident ca produc software care sa arate cat mai “dragut” pe cat mai multi bani. Mentiune: cand am spus “unor companii”, e foarte posibil sa fi vrut sa scriu “unei companii” – fiecare intelege ce vrea.

#1: Downloaded and installed the Malwarebytes’ Anti-Malware software. It’s free for scanning and cleaning, you can get it from here. It’ll detect the worm and delete some of its parts.

#2: If you check in [My Computer] at this point you will still notice that the drive’s default action is Autoplay instead of Open. You shouldn’t double click the drive or use the autoplay option at any time! That’s definitely not good. Now you need to get those pesky “autorun.inf” files out in the open, to do that you will type in Run “attrib c:\autorun.inf -r -h -s”, it’will remove the attributes for the autorun.inf file found in the root C:\ drive. Replace C: with D:, E: etc. to remove the attributes for the file on all of your drives..

#3: Delete C:\autorun.inf, D:\autorun.inf and so on.

#4: Reboot.

#5: Run MBAM again to make sure the worm is gone.

There you go, now the worm is gone and your drives should again behave properly.

PS: Have a happy New Year. I will.

Thanks,
The management.