W32/Netsky-E

Discussion in 'malware problems & news' started by Marianna, Mar 1, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    W32/Netsky.c@MM

    Type
    Win32 worm

    Description
    W32/Netsky-E is a worm which spreads via shared networks and by emailing itself to addresses found within files located on local drives.
    A detailed analysis of W32/Netsky-E will be published here shortly. Please check again later.

    http://www.sophos.com/virusinfo/analyses/w32netskye.html
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 03/01/2004
    Origin: Unknown
    Length: 24,480 (Petite packed)
    Type: Virus
    SubType: E-mail worm

    A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).

    This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses.

    Mail propagation
    The virus may be received in an email message as follows:

    From: (forged address taken from infected system)
    Subject: Constructed from strings carried within the worm.

    Note: initial investigation indicates that the worm may email itself either as a binary or as a binary within a ZIP file. This will be updated when analysis is complete.

    The mailing component harvests address from the local system. Files with the following extensions are targeted:

    .adb
    .asp
    .cgi
    .dbx
    .dhtm
    .doc
    .eml
    .htm
    .oft
    .php
    .pl
    .rtf
    .sht
    .shtm
    .msg
    .tbb
    .txt
    .uin
    .vbs
    .wab
    It does not send itself to addresses that contain one of the following strings:

    abuse
    fbi
    orton
    f-pro
    aspersky
    cafee
    orman
    itdefender
    f-secur
    avp
    skynet
    spam
    messagelabs
    ymantec
    antivi
    icrosoft
    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename WINLOGON.EXE.

    C:\WINNT\WINLOGON.EXE (24,480 bytes)
    Note: A valid file exists in the Windows System directory.

    A Registry key is created to load the worm at system start.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth
    Virus removal
    The virus removes various Registry values. Some of these are associated with other viruses, trojans, and applications.

    The following registry key values are deleted:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "au.exe"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "d3dupdate.exe"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "KasperskyAv"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "OLE"
    HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "DELETE ME"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Explorer"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "KasperskyAv"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "msgsvr32"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Sentry"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "service"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "system."
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "Taskmon"
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\RunServices "system."
    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

    Symptoms

    Existence of files and registry keys as mentioned above
    Unexpected network traffic
    Outgoing DNS queries to one of the following hard-coded IP addresses:
    145.253.2.171
    151.189.13.35
    193.141.40.42
    193.189.244.205
    193.193.144.12
    193.193.158.10
    194.25.2.129
    194.25.2.130
    194.25.2.131
    194.25.2.132
    194.25.2.133
    194.25.2.134
    195.185.185.195
    195.20.224.234
    212.185.252.136
    212.185.252.73
    212.185.253.70
    212.44.160.8
    212.7.128.162
    212.7.128.165
    213.191.74.19
    217.5.97.137
    62.155.255.16

    http://vil.nai.com/vil/content/v_101067.htm
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_NETSKY.D

    WORM_NETSKY.D is another new variant of the NETSKY worm, and it is currently spreading in-the-wild. It is a memory-resident worm that propagates via email using its own SMTP (Simple Mail Transfer Protocol) engine. If the current computer system date is March 2, 2004 and the time is between 6am and 9am, the worm's payload causes the computer to generate beeping sounds. This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, this worm drops a copy of itself as WINLOGON.EXE in the Windows folder. (Note: on Windows NT, 2000 and XP, there is an application named WINLOGON.EXE in the Windows System folder.) It then creates a mutex that checks for its existence on the system, and it creates a registry entry that allows it to automatically execute at every system startup. It also deletes several registry entries and keys that are added by other malware, such as variants of MYDOOM, MIMAIL, NETSKY, DEADHAT, BAGLE, NACHI, and PARITE.

    This worm uses its own SMTP engine to propagate. It sends email using any of several specific "Subject:" lines, any of several specific "Message Body:" contents, and any of several specific "Attachment:" names (please view the full virus description for the list of Subjects, Message Body contents, and Attachments). It gathers target email addresses by searching all fixed drives in drives C through Z (except the CD-ROM drive) for files with the following extensions:

    ADB
    ASP
    CGI
    DBX
    DHTM
    DOC
    EML
    HTM
    HTML
    MSG
    OFT
    PHP
    PL
    RTF
    SHT
    SHTM
    TBB
    TXT
    UIN
    VBS
    WAB

    As it scans each of the above-mentioned files, the worm skips email addresses that contain the following text strings, in order to evade detection by security software associated with these strings:

    "abuse"
    "antivi"
    "aspersky"
    "avp"
    "cafee"
    "fbi"
    "f-pro"
    "f-secur"
    "icrosoft"
    "itdefender"
    "orman"
    "orton"
    “skynet”
    "spam"
    "ymantec"

    The malware searches for mail exchangers that match its preferences on each of the DNS servers, and uses them as SMTP servers.

    The following text string is embedded within the malware's code:

    be aware! Skynet.cz - -->AntiHacker Crew <--


    If you would like to scan your computer for WORM_NETSKY.D or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_NETSKY.D is detected and cleaned by Trend Micro pattern file #794 and above.
     
Loading...
Similar Threads
  1. boredog
    Replies:
    4
    Views:
    261
Thread Status:
Not open for further replies.