NEW NETSKY .G loose.

Discussion in 'NOD32 version 2 Forum' started by tempnexus, Mar 4, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    No sample but a sophos report.

    W32/Netsky-G is a worm that spreads via email.
    In order to run automatically when Windows starts up the worm copies itself to the file avguard.exe in the Windows folder and creates the registry entry
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Special Firewall Service
    = "C:\WINDOWS\avguard.exe -av service"

    The worm attempts to disable various anti-virus and security related applications as well as other worms by deleting registry entries used by them.

    In particular the worm deletes the following entries:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Explorer
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\msgsvr32
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\DELETE ME
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Sentry
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Host
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Taskmon
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Exporer
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\KasperskyAv
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\au.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service Host
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\gouday.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\rate.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sate.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ssate.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\srate.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\sysmon.exe
    HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    HKCU\System\CurrentControlSet\Services\WksPatch
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF

    Some of the the registry entries removed by W32/Netsky-G are produced by variants of the W32/Bagle family of worms.

    W32/Netsky-G scans all local drives for files with one of the extensions

    .dhtm
    .cgi
    .shtm
    .msg
    .oft
    .sht
    .dbx
    .tbb
    .adb
    .doc
    .wab
    .asp
    .uin
    .rtf
    .vbs
    .html
    .htm
    .pl
    .php
    .txt
    .eml

    and attempts to extract email addresses from them. The worm skips email addresses containing the following strings:

    iruslis
    antivir
    sophos
    freeav
    andasoftwa
    skynet
    messagelabs
    abuse
    orton
    f-pro
    aspersky
    cafee
    orman
    itdefender
    f-secur
    spam
    ymantec
    antivi
    icrosoft

    In order to spread the worm creates 16 threads that send emails to the harvested addresses containing the worm as an attachment. W32/Netsky-G uses its own SMTP engine to send the mail. The subjects lines, message texts and attached filenames are randomly chosen from the following possibilities:

    Subject line:
    Re: Your website
    Re: Your product
    Re: Your letter
    Re: Your archive
    Re: Your text
    Re: Your bill
    Re: Your details
    Re: My details
    Re: Word file
    Re: Excel file
    Re: Details
    Re: Approved
    Re: Your software
    Re: Your music
    Re: Here
    Re: Re: Re: Your document
    Re: Hello
    Re: Hi
    Re: Re: Message
    Re: Your picture
    Re: Here is the document
    Re: Your document
    Re: Thanks!
    Re: Re: Thanks!
    Re: Re: Document
    Re: Document

    Message text:
    Your file is attached.
    Please read the attached file.
    Please have a look at the attached file.
    See the attached file for details.
    Here is the file.
    Your document is attached.

    Attachment filename:
    your_website.pif
    your_product.pif
    your_letter.pif
    your_archive.pif
    your_text.pif
    your_bill.pif
    your_details.pif
    document_word.pif
    document_excel.pif
    my_details.pif
    all_document.pif
    application.pif
    mp3music.pif
    yours.pif
    document_4351.pif
    your_file.pif
    message_details.pif
    your_picture.pif
    document_full.pif
    message_part2.pif
    document.pif
    your_document.pif.

    In some cases W32/Netsky-G creates a zip archive of the attachment before sending the email. The filename will be one from the list above with a ZIP extension. The attached ZIP file is not password protected
     
  2. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Looks like NOD has it covered.

    NOD32 - v.1.653 (20040304)
    Virus signature database updates:
    Win32/Agobot.3.LA, Win32/Agobot.3.LB, Win32/Agobot.3.LC, Win32/Agobot.3.LD, Win32/Nachi.C3, Win32/Netsky.G

    US CST (GMT -06:00)
    Time   Module   Event   User
    3/4/2004 13:25:54 PM   Kernel   The virus signature database has been updated successfully to version 1.653 (20040304).   
     
Thread Status:
Not open for further replies.