NUEVA VARIANTE VIRUS NETSKY.U CONTROL DESDE DATS MCAFEE 4350

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVA VARIANTE VIRUS NETSKY.U CONTROL DESDE DATS MCAFEE 4350

Mensaje por msc hotline sat » 14 Abr 2004, 16:41

Otra variante del NetSky está ya circulando por Internet, masivamente por e-mail, ya controlado por DATS de McAfee 4350:



http://vil.nai.com/vil/content/v_101167.htm



Virus Name Risk Assessment

W32/Netsky.u@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 04/07/2004

Origin: Unknown

Length: 18,432 bytes

Type: Virus

SubType: E-mail

Minimum DAT:

Release Date: 4350

04/08/2004

Minimum Engine: 4.2.40

Description Added: 04/07/2004

Description Modified: 04/07/2004 3:43 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This variant of W32/Netsky is very similar to W32/Netsky.t@MM . It bears the following characteristics:



constructs messages using its own SMTP engine

harvests email addresses from the victim machine

spoofs the From: address of messages

opens a port on the victim machine (TCP 6789)

delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation



Email addresses are harvested from the victim machine. Files with the following extensions are searched:



.adb

.asp

.cfg

.cgi

.dbx

.dhtm

.doc

.eml

.htm

.html

.jsp

.mbx

.mdx

.mht

.mmf

.msg

.nch

.ods

.oft

.php

.pl

.ppt

.rtf

.sht

.shtm

.stm

.tbb

.txt

.uin

.vbs

.wsh

.wab

.xls

.xml

Constructed messages bear the following characteristics:



From: T his is spoofed (using harvested email addresses)

Subject: Taken from the following list



Reply

Again

It's me

Hey

Hello

Hi

Re: Hello

Re: Hi

Body: Various message bodies may be constructed using a pool of strings within the worm. (some letters have been omitted, replaced with *)



Oh, I got it!

To less characters! Take it easy...

I noticed your password for administrative purpuses.

Yet another password! Need a better one?

Oh... your password!

Need a better password? my advice....

Your pwd is critical, too short, to low!

Do not use personal information for your password!

Your password on a website?

Passwordlist? yours?

I needed only 2 hours to get your password.

Change your password! I have stolen some text, excuse me!

Dictionary attacks are good. Your password not!

I used the brute-force method to get your password..

Take it easy... Your password is too short.

I 've got your password! take it easy...

Hey, easy passwords!

Oh! Excuse me, your password is too easy!!!

Not with me!

Here is a sample of your private documents I have stolen!

Your privacy! lol, youre not protected!

Needed? No, here I give it back!

I believe from the document you are a child!

Check your document, errors are there!

Please, please, Give me another sexy document about you!

Short and good, your document!

Jooooooooo.... document? Yours????? Wehaaa!

I do not accept documents from bad guys!

I do not want your document!

Go to hell an burn with your bad document!

I will send your list to the police!!!!

Hello, here.

It's the truth, your document not!!!

Could I have more texts about you?

Thus is enough. Stop sending your s***** documents!!!

One, two three, more, I have many questions to you document!

Nice, nice, more and more? do you?

Should I believe it? No, however, your story is bad.

Oh.....puh, your story is very strong!

Yours is very nice!

Do you have more of that?

Hey ya, nice document. Do you have more?

Abou you?

Sexy pic abou you?

Do you have a digicam to make your private photos?

More naked...your body is sexy!

Naked, you?

Are you naked?

More private photos of you? no!

Private photos...mmmhh. I like it. Post me more please!

Hey, naked one!

Hey, have you ever seen your photo?

Eat my s***! Your photo is bad.

Do not distribute your naked photos!

Uhaaa! naked... are you cranky?

Your are naked? Tell me more...please!

Hey, private or private..naked?

Pah!...take your private photo, naked and so, and go away.

I have sent your private photo to the police.

What is when I show your private illegal photo the police?

You? Very funny! More available?

I don't want to see your photo!

S***... your photo! naked?

Attachment: The attachment arrives as a .PIF file. The first part of the filename is constructed from one of the following strings



morepasswords

cracked_password

easypassword

yourpassword

password

passwords

pwd_list

your_password

your_pwd

yourspwd

pwd

password02

pwds04

pass01

correct_pass

listed

detailed

approvdoc

doc_ed

morestory

abuses

mail

story

letter

sexydocument

doc

yetanotherdocument

trieddocument

posteddocument

abusedocument

illegaldocument

doc04

shortdoc

details

alldoc

document_part

anotherdocument

document3

founddocument

your_doc04

onedocument

mydocument

yourdocument

yourdoc

document

photo03

your_photo

private_pic

private_photo

about_you

your_bad_photo

xxx_yours_naked

your_private_document

private

yourpic

yournakedpic

pic04

yours

yourimage

yourphoto

yoursnaked

yours_naked

img05

not_permitted

yours_naked_img

yours_funny

Denial of Service



If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:



http://www.keygen.us

http://www.freemule.net

http://www.kazaa.com

http://www.emule.de

http://www.cracks.am

System Changes



The worm installs itself on the victim machine as SYMAV.EXE in the Windows directory:



%WinDir%\SymAV.EXE

The following Registry key is added to hook system startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

\Run "SymAV" = %WinDir%\SymAV.EXE

A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:



%WinDir%\f***_you_bagle.txt

Remote Access Component



The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.



Top of Page



Symptoms

Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):

212.44.160.8

195.185.185.195

151.189.13.35

213.191.74.19

193.189.244.205

145.253.2.171

193.141.40.42

194.25.2.134

194.25.2.133

194.25.2.132

194.25.2.131

193.193.158.10

212.7.128.165

212.7.128.162

193.193.144.12

217.5.97.137

195.20.224.234

194.25.2.130

194.25.2.129

212.185.252.136

212.185.253.70

212.185.252.73

Existence of the files/Registry keys detailed above

TCP port 6789 open on the victim machine



Para este se ha hecho la utilidad ELINETSA v 2.8 que se subirá a esta web en ciuanto estén replicados los servidores de DNS con la nueva URL de zonavirus.



saludos



ms, 14-04-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”