virus-informer.de: Netsky.D verbreitet sich massiv!

01.03.04 15:20 Age: 7 yrs

Netsky.D verbreitet sich massiv!

By: admin

Aufgrund einer Virus-Erkrankung schreibe ich aktuell nur die wesentlichen Fakten zu neuen Computer-Virus Netsky.D

Name: Win32.Netsky.D@mm

Aliases: W32/Netsky.d@MM

Type: Executable Mass Mailer Worm

Size: 17424 bytes (packed)

Discovered: 01.03.2004

Detected: 01.03.2004

Spreading: Low

Damage: Low

In The Wild: Yes

Symptoms:

Presence of the following file in Windows directory (%WINDIR%)

"winlogon.exe"

Presence of the following entry in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key:

"ICQ Net" = "winlogon.exe -stealth"

Technical description:

This variant of the NetSky worm (.D) spreads only via e-mail (in contrast

with previous versions, which spread through some P2P applications as well),

sending itself to e-mail addresses found in the infected computer.

The worm arrives in the following e-mail format:

Subject - randomly chosen from the following strings:

"Re: Re: Document"

"Re: Re: Thanks!"

"Re: Thanks!"

"Re: Your document"

"Re: Here is the document"

"Re: Your picture"

"Re: Re: Message"

"Re: Hi"

"Re: Hello"

"Re: Re: Re: Your document"

"Re: Here"

"Re: Your music"

"Re: Your software"

"Re: Approved"

"Re: Details"

"Re: Excel file"

"Re: Word file"

"Re: My details"

"Re: Your details"

"Re: Your bill"

"Re: Your text"

"Re: Your archive"

"Re: Your letter"

"Re: Your product"

"Re: Your website"

Body - randomly chosen from the following strings:

"Your document is attached."

"Here is the file."

"See the attached file for details."

"Please have a look at the attached file."

"Please read the attached file."

"Your file is attached."

Attached filename (and extension) - randomly chosen from the following strings:

"your_document.pif"

"document.pif"

"message_part2.pif"

"your_document.pif"

"document_full.pif"

"your_picture.pif"

"message_details.pif"

"your_file.pif"

"your_picture.pif"

"document_4351.pif"

"yours.pif"

"mp3music.pif"

"application.pif"

"all_document.pif"

"my_details.pif"

"document_excel.pif"

"document_word.pif"

"my_details.pif"

"your_details.pif"

"your_bill.pif"

"your_text.pif"

"your_archive.pif"

"your_letter.pif"

"your_product.pif"

"your_website.pif"

When the user double-clicks the e-mail attachment, the worm does the following:

- copies itself to Windows directory (%WINDIR%) as "winlogon.exe";

- adds the following entry to "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

registry key:

"ICQ net" = "winlogon.exe -stealth",

(so it will be executed each time Windows starts up);

- disables some antivirus software and other known worms (such as Win32.Mydoom.A@mm

and Win32.Mydoom.B@mm) by deleting relevant registry keys;

- scans the infected computers for e-mail addresses in files whose extension

is one of the following:

".eml"

".txt"

".php"

".pl"

".htm"

".html"

".vbs"

".rtf"

".uin"

".asp"

".wab"

".doc"

".adb"

".tbb"

".dbx"

".sht"

".oft"

".msg"

".shtm"

".cgi"

".dhtm"

- creates and sends e-mails to these addresses with the above described format:

- In 01 mar. 2004, between 6:00 and 9:00 am (local time, not GMT) the worm

generates in the computer's speaker sounds with random tones and durations.

This variant (.D) uses an improved routine for sending itself through

e-mail, allowing it to be sent several times faster than previous

variants (.A - .C).

The worm avoids sending itself to addresses containing at least one of

the following strings:

"icrosoft"

"antivi"

"ymantec"

"spam"

"avp"

"f-secur"

"itdefender"

"orman"

"cafee"

"aspersky"

"f-pro"

"orton"

"fbi"

"abuse"

"messagelabs"

"skynet"

Quelle: bitdefender.de

<- Back to: virus-informer.de


	01.03.04 15:20 Age: 7 yrs Netsky.D verbreitet sich massiv! By: admin Aufgrund einer Virus-Erkrankung schreibe ich aktuell nur die wesentlichen Fakten zu neuen Computer-Virus Netsky.D Name: Win32.Netsky.D@mm Aliases: W32/Netsky.d@MM Type: Executable Mass Mailer Worm Size: 17424 bytes (packed) Discovered: 01.03.2004 Detected: 01.03.2004 Spreading: Low Damage: Low In The Wild: Yes Symptoms: Presence of the following file in Windows directory (%WINDIR%) "winlogon.exe" Presence of the following entry in "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key: "ICQ Net" = "winlogon.exe -stealth" Technical description: This variant of the NetSky worm (.D) spreads only via e-mail (in contrast with previous versions, which spread through some P2P applications as well), sending itself to e-mail addresses found in the infected computer. The worm arrives in the following e-mail format: Subject - randomly chosen from the following strings: "Re: Re: Document" "Re: Re: Thanks!" "Re: Thanks!" "Re: Your document" "Re: Here is the document" "Re: Your picture" "Re: Re: Message" "Re: Hi" "Re: Hello" "Re: Re: Re: Your document" "Re: Here" "Re: Your music" "Re: Your software" "Re: Approved" "Re: Details" "Re: Excel file" "Re: Word file" "Re: My details" "Re: Your details" "Re: Your bill" "Re: Your text" "Re: Your archive" "Re: Your letter" "Re: Your product" "Re: Your website" Body - randomly chosen from the following strings: "Your document is attached." "Here is the file." "See the attached file for details." "Please have a look at the attached file." "Please read the attached file." "Your file is attached." Attached filename (and extension) - randomly chosen from the following strings: "your_document.pif" "your_document.pif" "document.pif" "message_part2.pif" "your_document.pif" "document_full.pif" "your_picture.pif" "message_details.pif" "your_file.pif" "your_picture.pif" "document_4351.pif" "yours.pif" "mp3music.pif" "application.pif" "all_document.pif" "my_details.pif" "document_excel.pif" "document_word.pif" "my_details.pif" "your_details.pif" "your_bill.pif" "your_text.pif" "your_archive.pif" "your_letter.pif" "your_product.pif" "your_website.pif" When the user double-clicks the e-mail attachment, the worm does the following: - copies itself to Windows directory (%WINDIR%) as "winlogon.exe"; - adds the following entry to "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" registry key: "ICQ net" = "winlogon.exe -stealth", (so it will be executed each time Windows starts up); - disables some antivirus software and other known worms (such as Win32.Mydoom.A@mm and Win32.Mydoom.B@mm) by deleting relevant registry keys; - scans the infected computers for e-mail addresses in files whose extension is one of the following: ".eml" ".txt" ".php" ".pl" ".htm" ".html" ".vbs" ".rtf" ".uin" ".asp" ".wab" ".doc" ".adb" ".tbb" ".dbx" ".sht" ".oft" ".msg" ".shtm" ".cgi" ".dhtm" - creates and sends e-mails to these addresses with the above described format: - In 01 mar. 2004, between 6:00 and 9:00 am (local time, not GMT) the worm generates in the computer's speaker sounds with random tones and durations. This variant (.D) uses an improved routine for sending itself through e-mail, allowing it to be sent several times faster than previous variants (.A - .C). The worm avoids sending itself to addresses containing at least one of the following strings: "icrosoft" "antivi" "ymantec" "spam" "avp" "f-secur" "itdefender" "orman" "cafee" "aspersky" "f-pro" "orton" "fbi" "abuse" "messagelabs" "skynet" Quelle: bitdefender.de <- Back to: virus-informer.de
home Impressum