W32/Netsky-V

Discussion in 'malware problems & news' started by Marianna, Apr 20, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Aliases
    I-Worm.NetSky.w, W32/Netsky.v@MM, W32.Netsky.V@mm, HTML/Debeski

    Type
    Win32 worm

    Description
    W32/Netsky-V is a worm which uses a combination of email, HTTP and FTP to spread. The worm itself is a Windows program (EXE) file.
    W32/Netsky-V searches your hard disk for email addresses and sends email directly to them. Note that these emails do not contain an attached copy of W32/Netsky-V. Instead, they contain HTML instructions to fetch a copy of the worm. The emails use a subject and message randomly selected from the following:

    Subject line:
    Mail Delivery Sytem failure
    Mail delivery failed
    Server Status failure
    Gateway Status failure

    Visible message text:
    The processing of this message can take a few minutes...
    Converting message. Please wait...
    Please wait while loading failed message...
    Please wait while converting the message...

    W32/Netsky-V opens up two TCP ports on your computer. An HTTP service listens on port 5557 and an FTP service listens on port 5556. These ports are used to "serve up" the virus to downstream victims to whom you have sent copies of the email mentioned above.

    Downstream victims can become infected simply by reading an email sent by the virus. Note, however, that this email relies on a bug in Microsoft Outlook for which a patch has already been published. If you have downloaded and applied up-to-date patches from Microsoft, then the exploit used by this email will not work and the email is harmless.

    If your computer has an unpatched copy of Outlook, the W32/Netsky-V email makes an HTTP (web) connection back to port 5557 on the computer which sent you the email. This web connection is used to download a second HTML script. This script in turn exploits a second bug in Outlook to make an FTP connection back to port 5556. The FTP connection is used to download, install and run the W32/Netsky-V worm.

    W32/Netsky-V is installed into your Windows folder with the name KasperskyAVEng.exe. The worm adds the registry value:

    KasperskyAVEng

    to the registry key:

    HLKM\Software\Microsoft\Windows\CurrentVersion\Run

    so that it runs automatically every time you logon to your computer.

    Between 22 April 2004 and 28 April 2004, W32/Netsky-V mounts a denial of service attack against the following sites:

    www.keygen.us
    www.freemule.net
    www.kazaa.com
    www.emule.de
    www.cracks.am

    The denial of service consists of four redundant HTML requests to each of these sites every second.

    http://www.sophos.com/virusinfo/analyses/w32netskyv.html
     
Thread Status:
Not open for further replies.