NUEVA VARIANTE DE VIRUS NETSKY.V CONTROLADA DESDE DATS 4352

Mensaje por **msc hotline sat** » 15 Abr 2004, 11:46

Si bien hoy McAfee ha publicado los DATS 4351, acabamos de recibir la noticia de que ha aparecido una nueva variante del NETSKY, la V, que requiere los futuroa DATS 4352, si bien mientras tanto es controlado con los DAILYDATS de ahora, 15-04-2004 , 11h 45'

Virus Name Risk Assessment

W32/Netsky.v@MM Corporate User : Low

Home User : Low

Virus Information

Discovery Date: 04/14/2004

Origin: Unknown

Length: 19,432 bytes

Type: Virus

SubType: E-mail

Minimum DAT:

Release Date: 4352

04/21/2004

Minimum Engine: 4.2.40

Description Added: 04/14/2004

Description Modified: 04/14/2004 8:17 PM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend

Virus Characteristics:

This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine

harvests email addresses from the victim machine

spoofs the To: and From: address of messages

opens a port on the victim machine (TCP 5556 & 5557)

delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

.adb

.asp

.cfg

.cgi

.dbx

.dhtm

.doc

.eml

.htm

.html

.jsp

.mbx

.mdx

.mht

.mmf

.msg

.nch

.ods

.oft

.php

.pl

.ppt

.rtf

.sht

.shtm

.stm

.tbb

.txt

.uin

.vbs

.wsh

.wab

.xls

.xml

Constructed messages bear the following characteristics:

To: dimitrihji@yahoo.com (this is spoofed)

From: dimitrihji@yahoo.com (this is also spoofed, it is not the true receiving address)

Subject: (taken from the following list)

Mail Delivery Sytem failure

Mail delivery failed

Server Status failure

Gateway Status failure

Body text: (taken from the following list)

The processing of this message can take a few minutes...

Converting message. Please wait...

Please wait while loading failed message...

Please wait while converting the message...

Rather than including an attachment, the HTML within the message contains exploit code to contact a remote website to download the infected file. This HTML script will be detected with 4352 DATs and higher as Exploit-ObjectData. The remote infected computer is contacted via HTTP on TCP port 5557, the remote HTML file is launched, which drops an FTP "script" that downloads the Netsky.v executable file from the remote machine via TCP port 5556, and proceeds to infect the local machine by executing the downloaded file.

Denial of Service

This worm targets the following remote servers in a denial of service attack:

http://www.keygen.us

http://www.freemule.net

http://www.kazaa.com

http://www.emule.de

http://www.cracks.am

System Changes

The worm installs itself on the victim machine as KasperskyAVEng.exe in the Windows directory:

%WinDir%\KasperskyAVEng.exe

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\

Windows\CurrentVersion\Run "KasperskyAVEng" = %WinDir%\KasperskyAVEng.exe

A copy of the worm is saved to disk as SKYAV.TMP in the Windows directory:

%WinDir%\skyav.tmp

Remote Access Component

The worm opens a web server on TCP port 5557 which, on vulnerable systems, will load an HTM file which is heuristically detected by DATs up to 4352 as Unsafe Script. Specific detection will be added to the 4352 DATs as Exploit-ObjectData.

The virus also opens an FTP server on TCP Port 5556, so that the infected system can be accessed remotely.

Top of Page

Symptoms

Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):

212.44.160.8

195.185.185.195

151.189.13.35

213.191.74.19

193.189.244.205

145.253.2.171

193.141.40.42

194.25.2.134

194.25.2.133

194.25.2.132

194.25.2.131

193.193.158.10

212.7.128.165

212.7.128.162

193.193.144.12

217.5.97.137

195.20.224.234

194.25.2.130

194.25.2.129

212.185.252.136

212.185.253.70

212.185.252.73

Existence of the files/Registry keys detailed above

TCP ports 5556 & 5557 open on the victim machine

el link de acceso a esta pagina de McAfee es: http://vil.nai.com/vil/content/v_101175.htm

y el enlace para descarga del SDATDAILY y así controlarlo, es:

http://download.nai.com/products/mcafee-avert/daily_dats/SDATDAILY.EXE

cuya ejecución con el antivirus de McAfee instalado comportará el control de 89.649 variantes de virus, incluido este NETSKY.V

Ya estamos haciendo la nueva version del ELINETSA para controlar este virus, que será la v 2.9, y que tan pronto esté terminada, la subiremoa a esta web.

saludos

ms, 15-04-2004

Mensaje por **msc hotline sat** » 16 Abr 2004, 18:15

Creemos importante señalar que esta nueva variante del NetSky llega sin fichero anexado, infectando debido a la ejecución de código remoto desde el HTML del texto del propio mail, y que bien por falta del control del antivirus o aun con este actualizado, por falta de los parches correpondientes de Microsoft, en este caso para el Internet Explorer, se ejecute remotamente un cófigo vírico por simplemente leer el mail.

Es por ello que además de aconsejar utilizar el antivirus actualizado que lo controle, conviene asegurarse de que el Internet Explorer esté también bien actualizado, para lo cual es recomendable tener o aplicar el parche ;S04-004, que es acumulativo y contempla este agujero, además de los anteriores del Internet Explorer:

http://www.microsoft.com/en/us/default.aspxtechnet/security/bulletin/MS04-004.asp

Además, por si se utiliza McAfee, sin necesidad de utilizar el SDATDAILY ahora disponemos ya del EXTRA.DAT que puede añadir se a la carpèta de DATS del antivirus de McAfee y así controlar este nueva variante:

__________________________________________

184 178 139 180 9 51 192 130 56 232 140 146 214 50 175 104

12 16 86 178 41 204 137 49 15 50 141 22 9 219 123 80

252 242 139 51 13 170 9 59 133 116 50 178 2 102 107 177

253 205 68 180 148 217 106 92 237 213 124 104 12 18 136 122

10 170 123 85 250 223 120 66 121 232 140 145 204 35 114 178

233 213 124 95 254 211 112 89 234 220 109 85 252 190 203 104

12 16 216 114 2 204 140 85 250 211 105 66 237 217 106 92

237 213 124 62 75 232 140 151 88 176 143 178 13 213 143 67

243 250 138 42 251 213 122 95 248 194 249 114 29 204 140 87

235 194 97 64 237 206 103 84 226 211 107 66 128 117 86 178

46 102 76 188 242 50 107 68 237 215 124 83 231 212 98 83

235 194 0 245 214 50 169 230 10

27564 256 12452 334 M15

90 178 152 176 9 179 200 203 125 95 226 218 121 30 194 209

103 86 238 199 73 82 249 210 141 49 157 179 178 50 129 76

9 177 143 178 13 213 143 179 9 244 144 85 231 216 124 83

230 194 5 66 241 198 109 44 136 215 120 70 228 223 107 87

252 223 103 88 135 222 124 87 0 177 136 179 242 204 140 179

25 160 138 179 13 179 157 179 69 103 138

10859 256 12452 334 Exploit-ObjectData

237 178 152 176 9 179 200 203 125 95 226 218 121 30 194 209

103 86 238 199 73 82 249 210 141 49 143 179 184 22 114 178

15 51 129 157 64 92 251 214 89 92 173 134 61 3 189 160

116 31 189 128 33 74 190 159 61 7 161 202 62 31 247 129

33 74 191 6 19 204 143 177 13 63 163 222 98 69 232 231

98 19 173 131 33 3 129 199 100 92 227 147 94 86 236 193

110 91 165 199 9 183 143 76 15 134 170 76 15 55 141 183

35 86 245 214 10 102 207 220 120 93 233 155 10 122 227 199

37 17 171 251 0 126 228 215 37 71 224 195 37 90 164 159

45 0 56 156 242 49 137 179 4 29 255 214 106 65 232 210

105 27 128 245 98 95 233 214 127 64 209 208 108 80 229 214

10 68 228 221 35 86 245 214 7 80 183 239 122 90 227 157

101 71 236 190 143 58 137 215 104 94 226 104 7 204 140 49

8 51 173 131 242 50 15 182 13 59 184 76 12 177 136 179

119 6 114 178 143 54 141 103 52 204 140 167 67 52

18419 256 12452 334 Exploit-ObjectData

536 178 152 176 9 179 200 203 125 95 226 218 121 30 194 209

103 86 238 199 73 82 249 210 141 49 157 179 242 13 73 143

13 50 137 178 3 80 225 192 100 87 183 130 63 0 185 134

59 4 181 186 96 91 249 222 97 9 235 218 97 61 163 208

98 94 162 198 125 64 232 193 35 86 245 214 2 29 238 220

96 28 249 193 98 89 236 221 35 86 245 214 242 31 73 153

242 50 142 179 3 80 225 192 100 87 183 245 52 0 184 247

78 1 191 180 69 103 204 137 76 99 221 189 97 119 166 227

38 82 194 196 102 64 166 197 72 94 87 178 44 204 137 49

15 50 141 18 10 170 103 84 226 211 107 66 142 49 133 179

232 34 108 87 252 215 21 90 231 209 96 95 252 197 6 70

224 198 22 86 31 210 105 66 233 171 10 90 224 206 113 83

240 211 6 87 251 198 10 76 57 247 191 76 13 48 141 180

69 103 217 227 55 28 162 171 40 0 187 128 35 1 168 128

57 5 163 150 62 2 190 131 35 1 168 128 61 22 190 130

1 22 191 246 40 5 190 150 59 4 168 133 52 204 164 119

42 204 141 176 13 52 197 231 89 99 183 156 34 60 218 229

90 29 207 246 72 112 197 158 68 125 203 252 63 57 162 236

91 103 196 236 78 124 195 156 242 25 73 155 242 51 142 179

10 123 217 231 93 9 162 156 29 29 202 252 65 122 195 244

63 3 189 128 35 112 194 254 55 57 184 128 34 122 195 245

35 124 194 252 242 23 73 145 242 51 142 179 10 123 217 231

93 9 162 156 0 5 185 157 63 7 187 157 60 2 163 129

59 28 138 205 95 118 204 255 93 123 114 144 201 18 114 179

14 51 138 251 89 103 221 137 34 28 130 130 52 0 163 130

57 29 188 132 62 29 191 130 52 28 137 157 78 116 196 76

40 247 174 76 12 48 141 182 65 29 202 250 75 63 191 130

53 29 184 157 58 4 163 130 52 4 134 255 69 107 212 246

85 118 163 246 85 118 76 189 30 51 108 87 252 215 21 94

252 194 120 44 135 185 249 55 15 92 141 24 35 204 141 183

13 62 213 254 65 19 196 247 48 17 194 246 85 118 206 186

94 118 206 230 95 122 217 234 51 59 177 246 85 99 193 252

68 103 133 143 44 104 206 247 76 103 204 190 143 59 142 212

104 93 141 179 12 51 153 253 10

45073 256 12452 334 Exploit-ObjectData

62 178 152 176 9 179 200 203 125 95 226 218 121 30 194 209

103 86 238 199 73 82 249 210 141 49 137 179 204 37 210 179

204 247 92 119 141 165 108 51 154 164 95 127 198 227 88 101

134 247 91 102 0 177 136 179 13 51 140 179 25 125 138

6487 256 12452 334 Exploit-ObjectData

931 178 128 177 77 51 218 128 63 28 195 214 121 64 230 202

242 55 28 177 12 50 14 177 77 51 40 190 134 227 36 158

164 148 163 67 136 95 43 193 67 150 128 247 16 187 184 167

177 209 138 254 107 217 175 22 168 62 70 205 99 197 121 203

211 192 242 224 10 71 210 22 29 184 93 26 32 154 42 157

253 182 225 21 127 125 45 158 244 150 130 247 176 27 24 167

177 113 42 254 203 121 15 22 201 150 40 188 73 238 197 70

25 143 175 116 64 149 167 81 168 151 136 22 29 125 192 247

108 199 34 105 46 59 93 147 165 21 67 160 240 150 130 247

199 205 27 59 204 182 232 155 238 126 119 22 246 203 40 188

133 84 187 78 1 250 94 17 68 147 130 13 254 217 186 22

2 206 220 245 51 26 123 232 73 64 120 99 100 224 17 10

168 60 82 135 226 16 179 105 71 98 117 114 222 146 36 134

189 150 130 214 169 31 45 157 229 158 43 91 84 153 150 7

45 68 40 188 69 71 130 130 107 119 157 185 180 51 184 81

188 221 169 22 2 242 215 3 200 246 104 22 238 21 214 20

212 64 27 214 168 60 207 242 92 144 101 170 88 49 137 132

67 22 30 114 22 150 130 49 83 105 69 97 221 119 115 14

40 242 39 22 37 208 249 76 12 71 14 177 13 50 40 163

115 110 215 29 88 227 63 2 131 198 13 60 126 128 116 109

168 35 208 233 163 102 93 1 188 189 124 51 243 230 69 125

130 202 40 163 117 221 52 251 245 122 122 166 168 83 120 80

242 110 234 96 168 35 246 47 71 49 108 228 230 230 6 47

240 214 106 38 127 58 40 163 87 157 216 99 191 130 3 114

222 65 246 88 141 188 36 157 168 35 21 189 180 155 149 26

250 198 40 51 24 48 146 14 138 0 40 163 53 157 52 187

181 58 122 230 168 19 56 16 178 46 170 32 168 35 84 142

9 139 241 169 44 233 180 126 107 28 153 226 140 194 40 163

126 119 200 232 67 144 222 69 192 73 57 2 105 48 168 155

168 35 2 50 55 209 242 185 3 209 11 115 193 207 164 242

130 22 40 163 126 17 168 232 67 96 123 13 192 73 57 2

175 48 168 155 168 35 254 8 168 104 195 224 251 254 247 122

185 130 142 150 181 27 40 163 27 147 80 144 150 41 108 216

166 11 226 9 3 120 61 118 168 35 137 183 193 130 176 227

55 176 26 55 23 15 68 64 212 246 40 163 136 148 40 226

199 198 19 250 209 164 240 235 72 104 74 232 168 35 252 44

179 148 152 232 197 227 180 44 133 82 127 151 31 154 40 163

94 145 44 115 18 251 243 40 172 11 113 159 37 178 83 79

168 35 8 54 168 182 40 22 168 182 40 54 168 182 8 22

168 182 40 163 170 151 243 161 235 32 1 188 184 176 66 235

240 127 86 20 168 35 211 96 96 64 41 63 216 134 14 124

85 206 193 104 126 106 40 163 114 252 42 23 129 254 56 48

194 107 112 255 50 73 214 121 0 177 132 183 108 115 192 254

107 77 114 179 143 58 137 209 77 126 192 48 46 204 141 49

4 55 238 243 64 126 247 139 242 51 15 186 9 80 205 254

64 63 233 76 13 177 132 183 110 115 192 254 70 104 114 179

143 58 137 215 77 126 192 31 34 204 141 49 4 55 232 243

64 126 167 213 242 51 15 185 8 80 163 215 108 94 56 215

242 51 15 186 9 85 205 254 64 159 249 76 13 177 132 183

106 115 192 254 201 30 114 179 143 58 137 219 77 126 192 86

107 204 141 49 4 55 228 243 64 126 97 224 242 51 15 186

9 89 205 254 64 154 236 76 13 177 132 183 102 115 192 254

36 90 114 179 143 58 137 223 77 126 192 231 52 204 141 49

4 55 227 243 64 126 245 185 242 51 15 186 9 92 205 254

64 212 171 76 13 177 135 182 124 29 233 210 96 74 149 76

13 177 132 183 126 115 192 254 63 30 114 179 143 58 137 199

77 126 192 90 52 204 141 49 4 55 248 243 64 126 225 164

242 51 15 186 9 69 205 254 64 69 201 76 13 39 64 177

10 51 195 180

41418 256 12452 334 W32/Netsky

__________________________________________

Como siempre, seleccionar el contenido entre lineas, copiar y pegar con el bloc de notas y guardarlo como EXTRA.DAT el cual copiarlo en la carpeta del antivirus.

Mucho cuidado con este virus, que está subiendo de índice de propagación:

http://www.theregister.co.uk/2004/04/15/pesky_netsky/

saludos

ms, 16-04-2004