|
|
I-Worm.Netsky. Viruses Information
| Name: |
I-Worm.Netsky. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Netsky.r
This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file of approximately 26KB, packed using Petite, and written in Microsoft Visual C++.
Characteristics of infected messages:
Message header (chosen at random from the list below):
Deliver Mail
Delivered Message
Delivery
Delivery Bot
Delivery Error
Delivery Failed
Delivery Failure
Error
Failed
Failure
Mail Delivery failure
Mail Delivery System
Mail System
Server Error
Status
Unknown Exception
The recipient's address is also shown.
Message body (chosen and compiled from the list below):
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn't be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn't be represented
Mail Delivery Failure - This mail couldn't be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn't be converted
Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.
The text below may also be used as the message body:
Or you can view the message at: www.[recipient domain]/inmail/
[recipient name]/mread.php?sessionid-[random value]
An example of how this text might appear in the message:
Or you can view the message at: www.[kaspersky.com]/inmail/[test]/mread.php?sessionid-[4321]
Attachment name (chosen at random from the list below):
data
mail
msg
message
A random number and extension will be added to the attachment names listed above.
The worm will be activated if the user launches the infected file by clicking twice on the attachment. The worm may also send messages which exploit a vulnerability where a MIME header is incorrectly processed. This vulnerability is described in Microsoft Security Bulletin MS01-020
The worm then installs itself on the systesm and starts propagating.
Installation
When installing, the worm copies itself under the name SysMonXP.exe to the Windows directory, and registers this file in the system registry. This ensures that the file will launch each time the system is started.
[HKLMSoftwareMicrosoftWindowsCurrentVersionRun]
[SysMonXP=%windir%SysMonXP.exe]
It extracts a file named firewalllogger.txt from itself, and installs this to the Windows directory. When launching, the worm may open WordPad, and load a file to WordPad under the name tmp.eml.
It creates the mutex ""_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_" to flag its presence in the system. This prevents more than one copy of the worm from being launched.
The worm may also install additional copies of itself to the system under the following names:
base64.tmp
zippedbase64.tmp
zipo0.txt
zipo1.txt
zipo2.txt
zipo3.txt
Mass mailing
The worm searches for files with the extensions listed below:
a
ad
adb
as
asp
c
cf
cfg
cg
cgi
d
db
dbx
dh
dht
dhtm
do
doc
e
em
eml
h
ht,
htm
htmlj
js
jsp
m
mb
mbx
md
mdx
mh
mht
mm
mmf
ms
msg
n
nc
nch
o
od
ods
of
oftp
ph
php
pl
pp
ppt
r
rt
rtf
s
sh
sht
shtm
st
stm
t
tb
tbb
tx
txt
u
ui
uin
v
vb
vbs
w
wa
wab
ws
wsh
x
xl
xls
xm
xml
and harvests email addresses to send messages to. The worm uses its own SMTP library to send messages.
Other
The worm deletes the following keys from the Windows system registry:
Explorer
system.
msgsvr32
au.exe
winupd.exe
direct.exe
jijbl
Video
service
DELETE ME
d3dupdate.exe
OLE
Sentry
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
Microsoft IE Execute shell
Winsock2 driver
ICM version
yeahdude.exe
Microsoft System Checkup
If the local system is showing a certain date, the worm will conduct DDoS attacks on the following sites:
www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
I-Worm.Sobi
Email-Worm.Win32.Bagle.d
RS
Patsy.57
Bobas.75
Australian.102
Lauren.61
V.125
Catscrf.55
LazyToday.120
|
|
