W32/NetSky.h@MM

Discussion in 'malware problems & news' started by Marianna, Mar 5, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 03/05/2004
    Origin: Unknown
    Length: 22,528 bytes (PE-Pack)
    Type: Virus
    SubType: E-mail

    A new variant of W32/Netsky@MM has been received which is detected and repaired as W32/Netsky.c@MM with the 4328 DATs and higher (with scanning of compressed files enabled).
    This variant is very similar to W32/Netsky.g@MM .

    This virus spreads via email. It sends itself to addresses found on the victim's machine. The virus also attempts to deactivate the various other viruses (variants of W32/Mydoom and W32/Bagle).

    Mail propagation
    The virus may be received in an email message as follows:

    From: (forged address taken from infected system)


    Subject:

    Re: Hi
    Re: Part 3
    Re: Part 2
    Re: Index
    Re: Hello
    Re: Yours
    Re: Samples
    Re: Your TAN
    Re: Your PIN
    Re: Your bill
    Re: My details
    Re: Your data
    Re: Appending
    Re: Your folder
    Re: Your file
    Re: Approved
    Re: Document
    Re: Your briefing
    Re: Your picture
    Re: Your loveletter
    Re: Your details
    Re: Zipped folder
    Re: Secound Part
    Re: Here the file
    Re: Your application
    Re: Your encrypted file
    Body:

    Your file is attached
    Please read the attached file
    Please have a look at the attached
    See the attached file for details
    Here is the file
    Your document is attached.
    Attachment:

    yours.scr
    your_pic.scr
    document.scr
    your_bill.scr
    mp3music.scr
    my_details.scr
    your_file.scr
    your_letter.scr
    your_tan_33.scr
    your_pin_88.scr
    your_briefing.scr
    your_details.scr
    all_document.scr
    application.scr
    document_word.scr
    document_excel.scr
    document_4351.scr
    your_picture.scr
    message_part2.scr
    your_smaples.scr
    document_full.scr
    your_document.scr
    message_details.scr
    your_picture.pif
    The mailing component harvests address from the local system. Files with the following extensions are targeted:

    .adb
    html
    .asp
    .cgi
    .dbx
    .dhtm
    .doc
    .eml
    .htm
    .oft
    .php
    .pl
    .rtf
    .sht
    .shtm
    .msg
    .tbb
    .txt
    .uin
    .vbs
    .wab
    It does not send itself to addresses that contain one of the following strings:

    abuse
    fbi
    orton
    f-pro
    aspersky
    cafee
    orman
    itdefender
    f-secur
    avp
    skynet
    spam
    messagelabs
    ymantec
    antivi
    icrosoft
    iruslis
    antivir
    sophos
    freeav
    andasoftwa
    The virus sends itself via SMTP - constructing messages using its own SMTP engine. It queries the DNS server for the MX record and connects directly to the MTA of the targeted domain and sends the message.

    System changes
    The worm copies itself into %WinDir% (eg. C:\WINDOWS) folder using the filename MAJA.EXE.

    C:\WINNT\maja.exe (22,528 bytes)
    Note: A valid file exists in the %Sysdir% directory.

    A Registry key is created to load the worm at system start.

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "Antivirus" = %WinDir%\maja.exe -antivirus service

    http://vil.nai.com/vil/content/v_101077.htm
     
Thread Status:
Not open for further replies.