NUEVO VIRUS NETSKY.T (NECESITA DATS MINIMOS DE MCAFEE 4348

Cerrado
Avatar de Usuario
msc hotline sat
Administrador
Administrador
Mensajes: 92857
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVO VIRUS NETSKY.T (NECESITA DATS MINIMOS DE MCAFEE 4348

Mensaje por msc hotline sat » 06 Abr 2004, 13:35

Otro Netsky ha sido hoy detectado y controlado con DATS minimos 4348 (del 7-04-2008):



__________________________________________



Internet Worm Name Risk Assessment

W32/Netsky.t@MM Corporate User : Low

Home User : Low







Internet Worm Information

Discovery Date: 04/06/2004

Origin: Unknown

Length: 18,432 bytes (UPX packed)

Type: Internet Worm

SubType: E-mail worm

Minimum DAT:

Release Date: 4348

04/07/2004

Minimum Engine: 4.2.40

Description Added: 04/06/2004

Description Modified: 04/06/2004 2:15 AM (PT)

Description Menu

Internet Worm Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Internet Worm Characteristics:

This variant of W32/Netsky is very similar to W32/Netsky.s@MM . It bears the following characteristics:



constructs messages using its own SMTP engine

harvests email addresses from the victim machine

spoofs the From: address of messages

opens a port on the victim machine (TCP 6789)

delivers a DoS attack on certain web sites upon a specific date condition

The EXTRA.DAT posted for W32/Netsky.s@MM will detect this threat as virus or variant W32/Netsky.s@MM (with the scanning of compressed files enabled).



System Changes



Just like its predecesor, the worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:



%WinDir%\EASYAV.EXE

The following Registry key is added to hook system startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

\Run "EasyAV" = %WinDir%\EASYAV.EXE

A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:



%WinDir%\UINMZERTINMDS.OPM

Remote Access Component



The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.



Top of Page



Symptoms

Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):

212.44.160.8

195.185.185.195

151.189.13.35

213.191.74.19

193.189.244.205

145.253.2.171

193.141.40.42

194.25.2.134

194.25.2.133

194.25.2.132

194.25.2.131

193.193.158.10

212.7.128.165

212.7.128.162

193.193.144.12

217.5.97.137

195.20.224.234

194.25.2.130

194.25.2.129

212.185.252.136

212.185.253.70

212.185.252.73

Existence of the files/Registry keys detailed above

TCP port 6789 open on the victim machine



Top of Page



Method Of Infection

This worm spreads by email, constructing messages using its own SMTP engine.



__________________________________________



Link de acceso:

http://vil.nai.com/vil/content/v_101161.htm



saludos



ms, 06-04-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”