Netsky.z

Full Version: Netsky.z

GovernmentSecurity.org > System Security > Trojan & Virus Errata

RELiC

Apr 28 2004, 05:50 PM

Netsky.z Detailed Info:

QUOTE

Netsky.z

Risk Rating:
Medium Risk

Aliases: I-Worm.Netsky.aa
Netsky.Z
W32.Netsky.Z@mm
W32/Netsky-Z
W32/Netsky.Z.worm
W32/NetSky.Z@mm
Win32.Netsky.Z
WORM_NETSKY.Z

Virus Characteristics:
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

CODE

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci961097,00.html

This detection is for a new variant of W32/Netsky.

It bears the following characteristics:
harvests email addresses from the victim machine contains its own SMTP engine to construct outgoing messages attaches itself within a ZIP archive to emails the spoof from the victims address and delivers a denial of service payload to certain web sites upon a date condition Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.oft
.php
.ods
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

Messages are constructed using the virus' own SMTP engine.
They bear the following characteristics:
From: spoofed (using harvested email addresses)
Subject: selected from one of the following:

Document
Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information

Attachment:ZIP archive with one of the following filenames:
Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip

The ZIP archive contains the worm.
It is not password protected.
The filename of the worm within the ZIP is chosen to match the subject and ZIP name:
Bill.txt (many spaces) .exe
Data.txt (many spaces) .exe
Details.txt (many spaces) .exe
Important.txt (many spaces) .exe
Informations.txt (many spaces) .exe
Notice.txt (many spaces) .exe
Part-2.txt (many spaces) .exe
Textfile.txt (many spaces) .exe

Denial of Service Payload
Upon a certain date condition, the virus targets the following domains in a denial of service attack (HTTP):
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

System Changes
The virus installs itself on the victim machine as JAMMER2ND.EXE:
%WinDir%\JAMMER2ND.EXE

The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Jammer2nd" = %WinDir%\JAMMER2ND.EXE

Copies of the worm in a ZIP archive (some Base64 encoded) are written to the victim machine:
PK_ZIPn.LOG (where n is an integer).

Symptoms
Outgoing DNS queries to one of the following hard-coded IP addresses:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137

Existence of the files and Registry keys detailed above

Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.

CODE

http://vil.nai.com

../

u533m3n0t

Apr 28 2004, 06:58 PM

How about version AB...

Several Netsky variants will start a new Distributed Denial-of-Service attack either today or on Sunday, targeting these three sites:

nibis.de
educa.ch
medinfo.ufl.edu

The administrators of these sites have been warned, and they have taken measures to protect themselves against the attacks.

The worm's file is a packed PE executable 17920 bytes long.

Installation to system
Upon execution NetSky.AB copies itself as 'csrss.exe' file to Windows folder and adds a startup key for this file into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BagleAV" = "%WinDir%\csrss.exe"
where %WinDir% represents Windows folder name.

Email spreading
The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt

Netsky.AB worm ignores e-mail addresses that contain any of the following strings:
Microsoft
antivi
symantec
spam
avp
bitdefender
norman
mcafee
kaspersky
f-pro
norton
fbi
abuse
messagelabs
skynet
fsecur
pandasoftware
freeav
sophos
antivir
iruslis

The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:
Correction
Hurts
Privacy
Password
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal

The worm uses one of the following text strings as body text for an infected message:
Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!

Netsky.AB attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.