Netsky.z Detailed Info:
Full Version: Netsky.z
| QUOTE | ||||
| Netsky.z Risk Rating: Medium Risk Aliases: I-Worm.Netsky.aa Netsky.Z W32.Netsky.Z@mm W32/Netsky-Z W32/Netsky.Z.worm W32/NetSky.Z@mm Win32.Netsky.Z WORM_NETSKY.Z Virus Characteristics: The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
This detection is for a new variant of W32/Netsky. It bears the following characteristics: harvests email addresses from the victim machine contains its own SMTP engine to construct outgoing messages attaches itself within a ZIP archive to emails the spoof from the victims address and delivers a denial of service payload to certain web sites upon a date condition Mail Propagation The virus harvests email addresses from files on the victim machine with the following extensions: .adb .asp .cfg .cgi .dbx .dhtm .doc .eml .htm .html .jsp .mbx .mdx .mht .mmf .msg .nch .oft .php .ods .pl .ppt .rtf .sht .shtm .stm .tbb .txt .uin .vbs .wab .wsh .xls .xml Messages are constructed using the virus' own SMTP engine. They bear the following characteristics: From: spoofed (using harvested email addresses) Subject: selected from one of the following: Document Hello Hi Important Important bill! Important data! Important details! Important document! Important informations! Important notice! Important textfile! Important! Information Attachment:ZIP archive with one of the following filenames: Bill.zip Data.zip Details.zip Important.zip Informations.zip Notice.zip Part-2.zip Textfile.zip The ZIP archive contains the worm. It is not password protected. The filename of the worm within the ZIP is chosen to match the subject and ZIP name: Bill.txt (many spaces) .exe Data.txt (many spaces) .exe Details.txt (many spaces) .exe Important.txt (many spaces) .exe Informations.txt (many spaces) .exe Notice.txt (many spaces) .exe Part-2.txt (many spaces) .exe Textfile.txt (many spaces) .exe Denial of Service Payload Upon a certain date condition, the virus targets the following domains in a denial of service attack (HTTP): www.nibis.de www.medinfo.ufl.edu www.educa.ch System Changes The virus installs itself on the victim machine as JAMMER2ND.EXE: %WinDir%\JAMMER2ND.EXE The following Registry key is added to hook system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run "Jammer2nd" = %WinDir%\JAMMER2ND.EXE Copies of the worm in a ZIP archive (some Base64 encoded) are written to the victim machine: PK_ZIPn.LOG (where n is an integer). Symptoms Outgoing DNS queries to one of the following hard-coded IP addresses: 145.253.2.171 151.189.13.35 193.141.40.42 193.189.244.205 193.193.144.12 193.193.158.10 194.25.2.129 194.25.2.130 194.25.2.131 194.25.2.132 194.25.2.133 194.25.2.134 195.185.185.195 195.20.224.234 212.185.252.136 212.185.252.73 212.185.253.70 212.44.160.8 212.7.128.162 212.7.128.165 213.191.74.19 217.5.97.137 Existence of the files and Registry keys detailed above Method Of Infection This worm spreads by email, constructing messages using its own SMTP engine.
../ |
../
How about version AB...
Several Netsky variants will start a new Distributed Denial-of-Service attack either today or on Sunday, targeting these three sites:
nibis.de
educa.ch
medinfo.ufl.edu
The administrators of these sites have been warned, and they have taken measures to protect themselves against the attacks.
The worm's file is a packed PE executable 17920 bytes long.
Installation to system
Upon execution NetSky.AB copies itself as 'csrss.exe' file to Windows folder and adds a startup key for this file into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BagleAV" = "%WinDir%\csrss.exe"
where %WinDir% represents Windows folder name.
Email spreading
The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
Netsky.AB worm ignores e-mail addresses that contain any of the following strings:
Microsoft
antivi
symantec
spam
avp
bitdefender
norman
mcafee
kaspersky
f-pro
norton
fbi
abuse
messagelabs
skynet
fsecur
pandasoftware
freeav
sophos
antivir
iruslis
The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:
Correction
Hurts
Privacy
Password
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal
The worm uses one of the following text strings as body text for an infected message:
Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
Netsky.AB attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif
Several Netsky variants will start a new Distributed Denial-of-Service attack either today or on Sunday, targeting these three sites:
nibis.de
educa.ch
medinfo.ufl.edu
The administrators of these sites have been warned, and they have taken measures to protect themselves against the attacks.
The worm's file is a packed PE executable 17920 bytes long.
Installation to system
Upon execution NetSky.AB copies itself as 'csrss.exe' file to Windows folder and adds a startup key for this file into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BagleAV" = "%WinDir%\csrss.exe"
where %WinDir% represents Windows folder name.
Email spreading
The worm scans all hard drives from C: to Z: to harvest e-mail addresses. The worm looks for e-mail addresses in files with the following extensions:
.eml
.txt
.php
.cfg
.mbx
.mdx
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.pl
.htm
.html
.sht
.oft
.msg
.ods
.stm
.xls
.jsp
.wsh
.xml
.mht
.mmf
.nch
.ppt
Netsky.AB worm ignores e-mail addresses that contain any of the following strings:
Microsoft
antivi
symantec
spam
avp
bitdefender
norman
mcafee
kaspersky
f-pro
norton
fbi
abuse
messagelabs
skynet
fsecur
pandasoftware
freeav
sophos
antivir
iruslis
The worm composes e-mails with different subject and body texts. Here is the list of subject texts that the worm uses:
Correction
Hurts
Privacy
Password
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal
The worm uses one of the following text strings as body text for an infected message:
Please use the font arial!
How can I help you?
Still?
I've your password. Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard. Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
Netsky.AB attaches its executable file to e-mails that it sends out. The attachment name is selected from the following variants:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
