W32/Netsky.v@MM

Discussion in 'malware problems & news' started by Marianna, Apr 14, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Information
    Discovery Date: 04/14/2004
    Origin: Unknown
    Length: 19,432 bytes
    Type: Virus
    SubType: E-mail

    AVERT has received a sample of this threat and is currently in the process of analyzing it. Details will be posted when they are available. Please check back shortly.

    http://vil.nai.com/vil/content/v_101175.htm
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Virus Characteristics

    This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

    infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
    harvests email addresses from the victim machine
    spoofs the To: and From: address of messages
    opens a port on the victim machine (TCP 5556 & 5557)
    delivers a DoS attack on certain web sites upon a specific date condition

    Mail Propagation

    Email addresses are harvested from the victim machine. Files with the following extensions are searched:

    .adb
    .asp
    .cfg
    .cgi
    .dbx
    .dhtm
    .doc
    .eml
    .htm
    .html
    .jsp
    .mbx
    .mdx
    .mht
    .mmf
    .msg
    .nch
    .ods
    .oft
    .php
    .pl
    .ppt
    .rtf
    .sht
    .shtm
    .stm
    .tbb
    .txt
    .uin
    .vbs
    .wsh
    .wab
    .xls
    .xml
    Constructed messages bear the following characteristics:

    To: dimitrihji@yahoo.com (this is spoofed)
    From: dimitrihji@yahoo.com (this is also spoofed, it is not the true receiving address)
    Subject: (taken from the following list)

    Mail Delivery Sytem failure
    Mail delivery failed
    Server Status failure
    Gateway Status failure
    Body text: (taken from the following list)

    The processing of this message can take a few minutes...
    Converting message. Please wait...
    Please wait while loading failed message...
    Please wait while converting the message...
    Rather than including an attachment, the HTML within the message contains exploit code to contact a remote website to download the infected file. This HTML script will be detected with 4352 DATs and higher as Exploit-ObjectData.

    Denial of Service

    This worm targets the following remote servers in a denial of service attack:

    www.keygen.us
    www.freemule.net
    www.kazaa.com
    www.emule.de
    www.cracks.am
    System Changes

    The worm installs itself on the victim machine as KasperskyAVEng.exe in the Windows directory:

    %WinDir%\KasperskyAVEng.exe
    The following Registry key is added to hook system startup:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run "KasperskyAVEng" = %WinDir%\KasperskyAVEng.exe
    A copy of the worm is saved to disk as SKYAV.TMP in the Windows directory:

    %WinDir%\skyav.tmp
    Remote Access Component

    The worm opens a web server on TCP port 5557 which, on vulnerable systems, will load an HTM file which is heuristically detected by DATs up to 4352 as Unsafe Script. Specific detection will be added to the 4352 DATs as Exploit-ObjectData.

    The virus also opens an FTP server on TCP Port 5556, so that the infected system can be accessed remotely.

    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101175
     
Thread Status:
Not open for further replies.