W32/Netsky.b@MM

Discussion in 'malware problems & news' started by Marianna, Feb 18, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Internet Worm Information
    Discovery Date: 02/18/2004
    Origin: Unknown
    Length: 22,016
    Type: Internet Worm
    SubType: E-mail worm

    This virus spreads via email and mapped drives. It sends itself to addresses found on the victim's machine and by copying itself to folders on drives C: - Z:. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

    Netsky only infects systems running Microsoft Windows.

    If you think that you may be infected with Netsky, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).
    Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address.


    Mail propagation
    The virus may be received in an email message as follows:

    From: (forged address taken from infected system) or skynet@skynet.de
    Subject: (one of the following)

    fake
    for
    hello
    hi
    immediately
    information
    it
    read
    something
    stolen
    unknown
    warning
    you
    Body : (one of the following)

    about me
    anything ok?
    do you? that's funny
    from the chatter
    greetings
    here
    here is the document.
    here it is
    here, the cheats
    here, the introduction
    here, the serials
    i found this document about you
    I have your password!
    i hope it is not true!
    i wait for a reply!
    i'm waiting ok
    information about you
    is that from you?
    is that true?
    is that your account?
    is that your name?
    kill the writer of this document!
    my hero
    read it immediately!
    read the details.
    reply
    see you
    something about you!
    something is fool
    something is going wrong
    something is going wrong!
    stuff about you?
    take it easy
    that is bad
    thats wrong why?
    what does it mean?
    yes, really?
    you are a bad writer
    you are bad
    you earn money
    you feel the same
    you try to steal
    your name is wrong
    Attachment: (one of the following names)

    aboutyou
    attachment
    bill
    concert
    creditcard
    details
    dinner
    disco
    doc
    document
    final
    found
    friend
    jokes
    location
    mail2
    mails
    me
    message
    misc
    msg
    nomoney
    note
    object
    part2
    party
    posting
    product
    ps
    ranking
    release
    shower
    story
    stuff
    swimmingpool
    talk
    textfile
    topseller
    website
    May be followed by:

    .doc
    .htm
    .rtf
    .text
    Followed by:

    .com
    .exe
    .pif
    .scr
    The attachment may have a double-extension, such as .rtf.pif, and may be contained in a .ZIP file.

    The mailing component harvests address from the local system. Files with the following extensions are targeted:

    .adb
    .asp
    .dbx
    .doc
    .eml
    .htm
    .html
    .msg
    .oft
    .php
    .pl
    .rtf
    .sht
    .tbb
    .txt
    .uin
    .vbs
    .wab
    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    When executed, a fake error message may be displayed.


    The worm copies itself into %WinDir% (WINDOWS) folder using the filename SERVICES.EXE (note: A valid file exists in the WINDOWS SYSTEM directory). A registry run key is created to load the worm at system start.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "service" = C:\WINNT\services.exe -serv
    Network propagation/Peer to Peer propagation
    The worm copies itself to directories named share or sharing on the local system and on mapped network drives. This will result in propagation via KaZaa, Bearshare, Limewire, and other P2P application that use shared folder names containing the words share or sharing. The filenames are included in the worm and chosen randomly:

    angels.pif
    cool screensaver.scr
    dictionary.doc.exe
    dolly_buster.jpg.pif
    doom2.doc.pif
    e.book.doc.exe
    e-book.archive.doc.exe
    eminem - lick my *****.mp3.pif
    hardcore porn.jpg.exe
    how to hack.doc.exe
    matrix.scr
    max payne 2.crack.exe
    nero.7.exe
    office_crack.exe
    photoshop 9 crack.exe
    porno.scr
    programming basics.doc.exe
    rfc compilation.doc.exe
    serial.txt.exe
    sex sex sex sex.doc.exe
    strippoker.exe
    virii.scr
    win longhorn.doc.exe
    winxp_crack.exe
    The worm also drops numerous ZIP files containing the worm (22,016 bytes). The compressed file frequently uses a double extension like .doc.pif, .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:

    aboutyou.zip
    attachment.zip
    bill.zip
    concert.zip
    creditcard.zip
    details.zip
    dinner.zip
    disco.zip
    final.zip
    found.zip
    friend.zip
    jokes.zip
    location.zip
    mail2.zip
    mails.zip
    me.zip
    message.zip
    misc.zip
    msg.zip
    nomoney.zip
    note.zip
    object.zip
    part2.zip
    party.zip
    posting.zip
    product.zip
    ps.zip
    ranking.zip
    release.zip
    shower.zip
    story.zip
    stuff.zip
    swimmingpool.zip
    talk.zip
    textfile.zip
    topseller.zip
    website.zip
    Mydoom virus removal
    The virus removes the following registry values to deactivate Mydoom.a and Mydoom.b.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run Taskmon
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run Explorer
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run Taskmon
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run Explorer
    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    Other registry keys removed are as follows:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run KasperskyAv
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run system.

    Symptoms
    Existence of files and registry keys as mentioned above
    Unexpected network traffic

    Method Of Infection
    This worm spreads by EMail and by copying itself to folders on the local harddrive as well as on mapped network drivers if available. It does not scan for open shares.

    http://vil.nai.com/vil/content/v_101034.htm
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
  3. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    The Netsky.B worm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives. It searches the drives for folder names containing "share" or "sharing," and then copies itself to those folders. The virus also attempts to deactivate the MyDoom.A and MyDoom.B viruses.


    The worm presents a problem for businesses and consumers, because it is capable of spreading through peer-to-peer software. It also represents an emerging and troubling trend toward blended threats, which use more than one spreading mechanism.


    Cluster Bomb Attack


    Netsky.B is a "cluster bomb" worm, explained Ken Dunham of security firm iDefense. "This virus can create as many as 300 copies of itself in a network once it is inside," he told NewsFactor.


    Another distinguishing characteristic of Netsky, compared to other recent worms, is that it does not leave open the back door, said Jimmy Kuo a research fellow at McAfee AVERT, an arm of Network Associates (NYSE: NET - news). "The file-sharing mechanism is helping this virus spread rapidly."


    As such, the virus is adding hundreds of files to each of the infected machines, and shows no signs of slowing down, Kuo told NewsFactor. He recommended that when users retrieve files they should scan them first, and/or make sure there are not multiple extensions in files received.


    As of Thursday morning, Netsky.B was spreading in the wild, and Symantec (Nasdaq: SYMC - news) raised the threat level associated with it from three to four (five is the highest). "I don't think this has reached its peak yet," Dunham said.


    Networks Are Vulnerable


    "The sharing mechanism could have a dramatic impact on networks," said Dunham. Some 100,000 Netsky.B interceptions have been made worldwide, he noted, although the number of infected machines is lower.


    Using spoofed "from" addresses, the worm employs an array of subject headings, such as "hi," "hello," "read it immediately," "something for you," or "warning," in an effort to get recipients to open the infected e-mail attachment.


    The Netsky virus, also known as "Moodown," first emerged earlier this week, and initially spread rapidly in Europe. The B variant was first detected on Wednesday.


    Turn Off Unused Services


    As with previous worms, users should be wary of opening any e-mail attachments and are advised to upgrade their security software or get the appropriate software patches.


    Also, Symantec advised that users and systems administrators should turn off and remove any unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet and a Web server. If they are removed, blended threats have fewer avenues of attack, and there are fewer services to maintain through patch updates.

    Always include your source: http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@mm.html - Pieter
     
  4. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_NETSKY.B is a memory-resident, mass-mailing worm that spreads via email and peer-to-peer file-sharing networks. It drops copies of itself in shared folders as an executable with two extension names, and is represented by a Microsoft Word icon. It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution it drops a copy of itself as SERVICES.EXE in the Windows folder, and then creates a registry entry that allows it to automatically execute at every Windows startup.

    To propagate, this worm sends copies of itself via Simple Mail Transfer Protocol (SMTP) to target email addresses that it gathers from files with the following extensions, found in drives C to Z:

    ADB, ASP, DBX, DOC, EML, HTM, HTML, MSG, OFT, PHP, PL, RTF, SHT, TBB, TXT, UIN, VBS, WAB

    It sends a message with the following:

    From: <spoofed and selected from the harvested list of email addresses>
    Subject: (any of the following)
    fake
    hello
    hi
    information
    read it immediately
    something for you
    stolen
    unknown
    warning
    Message Body: <any of 47 specific messages>
    Attachment: <any of 40 specific attachment names>

    The file attachment may have two extension names, with the first name being DOC, HTM, RTF or TXT, and the second extension name being COM, EXE, PIF, or SCR. The attachment may also arrive compressed in ZIP format.

    To spread via file-sharing networks this worm drops numerous copies of itself in folders with the strings "sharing" or "shared" in their names.

    If you would like to scan your computer for WORM_NETSKY.B or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_NETSKY.B is detected and cleaned by Trend Micro pattern file #769 and above.
     
Thread Status:
Not open for further replies.