RE: [DMCForum] New Worm (virus) Outbreak - Netsky.B
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [DMCForum] New Worm (virus) Outbreak - Netsky.B



Dave,
For the last 3 weeks I have been flooded with the virus. The files are about
31 to 32 KB so I go into Twig and look at email on the server before I even
down load it. This week I have had only 2 or 3 but the weeks before I had
100's.
Thank goodness for McAfee fire wall and virus checker.
John Hervey


  -----Original Message-----
  From: Dave Stragand [mailto:dave.stragand@xxxxxxxxxxxxxxx]
  Sent: Wednesday, February 18, 2004 3:32 PM
  To: sigtri-l@xxxxxxxxxxxxx; Forward Look Mailing List;
DMCForum@xxxxxxxxxxxxxxx
  Subject: [DMCForum] New Worm (virus) Outbreak - Netsky.B


  I've gotten this in my mailbox about 10 times in the last four hours, so
  keep an eye out.  As always, if you're not expecting an attachment from
  someone, DON'T OPEN IT!

  -Dave

  http://story.news.yahoo.com/news?tmpl=story

<http://story.news.yahoo.com/news?tmpl=story&cid=582&e=1&u=/nm/20040218/wr_n
  m/tech_worm_netskyb_dc>
  &cid=582&e=1&u=/nm/20040218/wr_nm/tech_worm_netskyb_dc

  SEATTLE (Reuters) - A new worm called "Netsky.B" emerged on the Internet
on
  Wednesday, spreading by mimicking familiar e-mail addresses and enticing
  users to open file attachments containing malicious software, security
  experts said.


  Most computer security companies rated the worm a medium-grade threat,
  describing it more of an annoyance rather than a malicious virus that
  destroys files or makes computer vulnerable to attacks.



  "It's a very low infection rate virus," said David Perry, global education
  director at Trend Micro Inc., adding that newer, more infectious versions
  could be in the pipeline.



  The worm, once activated, forwards itself to e-mail addresses found on an
  infected computer's hard drive.



  Netsky.B usually arrives in e-mail boxes appearing as e-mail from a
familiar
  person with an attachment that appears to be a Microsoft Word document
with
  the words "read it immediately" or "something for you" making it tricky to
  identify.



  Anti-virus software and services provider Network Associates Inc. said the
  worm's activity appeared to be concentrated in Europe, particularly the
  Netherlands.



  Both businesses and consumers were being hit by the fast-spreading worm.


  <http://vil.nai.com/vil/content/v_101034.htm>
  http://vil.nai.com/vil/content/v_101034.htm


  The virus may be received in an email message as follows:


  From: (forged address taken from infected system) or skynet@xxxxxxxxx
  Subject: (one of the following)

  *      fake

  *      for

  *      hello

  *      hi

  *      immediately

  *      information

  *      it

  *      read

  *      something

  *      stolen

  *      unknown

  *      warning

  *      you

  Body : (one of the following)

  *      about me

  *      anything ok?

  *      do you? that's funny

  *      from the chatter

  *      greetings

  *      here

  *      here is the document.

  *      here it is

  *      here, the cheats

  *      here, the introduction

  *      here, the serials

  *      i found this document about you

  *      I have your password!

  *      i hope it is not true!

  *      i wait for a reply!

  *      i'm waiting ok

  *      information about you

  *      is that from you?

  *      is that true?

  *      is that your account?

  *      is that your name?

  *      kill the writer of this document!

  *      my hero

  *      read it immediately!

  *      read the details.

  *      reply

  *      see you

  *      something about you!

  *      something is fool

  *      something is going wrong

  *      something is going wrong!

  *      stuff about you?

  *      take it easy

  *      that is bad

  *      thats wrong why?

  *      what does it mean?

  *      yes, really?

  *      you are a bad writer

  *      you are bad

  *      you earn money

  *      you feel the same

  *      you try to steal

  *      your name is wrong

  Attachment: (one of the following names)

  *      aboutyou

  *      attachment

  *      bill

  *      concert

  *      creditcard

  *      details

  *      dinner

  *      disco

  *      doc

  *      document

  *      final

  *      found

  *      friend

  *      jokes

  *      location

  *      mail2

  *      mails

  *      me

  *      message

  *      misc

  *      msg

  *      nomoney

  *      note

  *      object

  *      part2

  *      party

  *      posting

  *      product

  *      ps

  *      ranking

  *      release

  *      shower

  *      story

  *      stuff

  *      swimmingpool

  *      talk

  *      textfile

  *      topseller

  *      website

  May be followed by:

  *      .doc

  *      .htm

  *      .rtf

  *      .text

  Followed by:

  *      .com

  *      .exe

  *      .pif

  *      .scr

  The attachment may have a double-extension, such as .rtf.pif, and may be
  contained in a .ZIP file.

  The mailing component harvests address from the local system.  Files with
  the following extensions are targeted:

  *      .adb

  *      .asp

  *      .dbx

  *      .doc

  *      .eml

  *      .htm

  *      .html

  *      .msg

  *      .oft

  *      .php

  *      .pl

  *      .rtf

  *      .sht

  *      .tbb

  *      .txt

  *      .uin

  *      .vbs

  *      .wab

  The virus sends itself via SMTP - constructing messages using its own SMTP
  engine. It queries the DNS server for the MX record and connects directly
to
  the MTA of the targeted domain and sends the message.

  System changes
  When executed, a fake error message may be displayed.

  The worm copies itself into %windir% folder using the filename
SERVICES.EXE.
  A registry run key is created to load the worm at system start.

  *      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "service" = C:\WINNT\services.exe -serv

  Network propagation/Peer to Peer propagation
  The worm copies itself to directories named share or sharing on the local
  system and on mapped network drives. This will result in propagation via
  KaZaa, Bearshare, Limewire, and other P2P application that use shared
folder
  names containing the words share or sharing.  The filenames are included
in
  the worm and chosen randomly:

  *      angels.pif

  *      cool screensaver.scr

  *      dictionary.doc.exe

  *      dolly_buster.jpg.pif

  *      doom2.doc.pif

  *      e.book.doc.exe

  *      e-book.archive.doc.exe

  *      eminem - lick my pussy.mp3.pif

  *      hardcore porn.jpg.exe

  *      how to hack.doc.exe

  *      matrix.scr

  *      max payne 2.crack.exe

  *      nero.7.exe

  *      office_crack.exe

  *      photoshop 9 crack.exe

  *      porno.scr

  *      programming basics.doc.exe

  *      rfc compilation.doc.exe

  *      serial.txt.exe

  *      sex sex sex sex.doc.exe

  *      strippoker.exe

  *      virii.scr

  *      win longhorn.doc.exe

  *      winxp_crack.exe

  The worm also drops numerous ZIP files containing the worm (22,016 bytes).
  The compressed file frequently uses a double extension like .doc.pif,
  .rtf.com, .rtf.scr). The list of ZIP names is hardcoded in the virus body:

  *      aboutyou.zip

  *      attachment.zip

  *      bill.zip

  *      concert.zip

  *      creditcard.zip

  *      details.zip

  *      dinner.zip

  *      disco.zip

  *      final.zip

  *      found.zip

  *      friend.zip

  *      jokes.zip

  *      location.zip

  *      mail2.zip

  *      mails.zip

  *      me.zip

  *      message.zip

  *      misc.zip

  *      msg.zip

  *      nomoney.zip

  *      note.zip

  *      object.zip

  *      part2.zip

  *      party.zip

  *      posting.zip

  *      product.zip

  *      ps.zip

  *      ranking.zip

  *      release.zip

  *      shower.zip

  *      story.zip

  *      stuff.zip

  *      swimmingpool.zip

  *      talk.zip

  *      textfile.zip

  *      topseller.zip

  *      website.zip

  Mydoom virus removal
  The virus removes the following registry values to deactivate Mydoom.a and
  Mydoom.b.

  *      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Taskmon

  *      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Explorer

  *      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Taskmon

  *      HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run Explorer

  *

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer3
  2

  Other registry keys removed are as follows:

  *      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run KasperskyAv

  *      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run system.





  [Non-text portions of this message have been removed]



----------------------------------------------------------------------------
--
  Yahoo! Groups Links

    a.. To visit your group on the web, go to:
    http://groups.yahoo.com/group/DMCForum/

    b.. To unsubscribe from this group, send an email to:
    DMCForum-unsubscribe@xxxxxxxxxxxxxxx

    c.. Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.



[Non-text portions of this message have been removed]



Yahoo! Groups Links



Home Back to the Home of PROJECT VIXEN


Copyright 2006 ProjectVixen.com.  All rights reserved.

Opinions expressed in posts reflect the views of their respective authors.
DMCForum Mailing List Archive  DMCNews Mailing List Archive  DMC-UK Mailing List Archive