Virus Name Risk Assessment
W32/Netsky.v@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/14/2004
Origin: Unknown
Length: 19,432 bytes
Type: Virus
SubType: E-mail
Minimum DAT:
Release Date: 4352
04/21/2004
Minimum Engine: 4.2.40
Description Added: 04/14/2004
Description Modified: 04/14/2004 8:17 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:
infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the To: and From: address of messages
opens a port on the victim machine (TCP 5556 & 5557)
delivers a DoS attack on certain web sites upon a specific date condition
Mail Propagation
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wsh
.wab
.xls
.xml
Constructed messages bear the following characteristics:
To:
From:
Subject: (taken from the following list)
Mail Delivery Sytem failure
Mail delivery failed
Server Status failure
Gateway Status failure
Body text: (taken from the following list)
The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message...
Rather than including an attachment, the HTML within the message contains exploit code to contact a remote website to download the infected file. This HTML script will be detected with 4352 DATs and higher as Exploit-ObjectData. The remote infected computer is contacted via HTTP on TCP port 5557, the remote HTML file is launched, which drops an FTP "script" that downloads the Netsky.v executable file from the remote machine via TCP port 5556, and proceeds to infect the local machine by executing the downloaded file.
Denial of Service
This worm targets the following remote servers in a denial of service attack:
System Changes
The worm installs itself on the victim machine as KasperskyAVEng.exe in the Windows directory:
%WinDir%\KasperskyAVEng.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run "KasperskyAVEng" = %WinDir%\KasperskyAVEng.exe
A copy of the worm is saved to disk as SKYAV.TMP in the Windows directory:
%WinDir%\skyav.tmp
Remote Access Component
The worm opens a web server on TCP port 5557 which, on vulnerable systems, will load an HTM file which is heuristically detected by DATs up to 4352 as Unsafe Script. Specific detection will be added to the 4352 DATs as Exploit-ObjectData.
The virus also opens an FTP server on TCP Port 5556, so that the infected system can be accessed remotely.
Top of Page
Symptoms
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
Existence of the files/Registry keys detailed above
TCP ports 5556 & 5557 open on the victim machine
el link de acceso a esta pagina de McAfee es:
y el enlace para descarga del SDATDAILY y así controlarlo, es:
cuya ejecución con el antivirus de McAfee instalado comportará el control de 89.649 variantes de virus, incluido este NETSKY.V
Ya estamos haciendo la nueva version del ELINETSA para controlar este virus, que será la v 2.9, y que tan pronto esté terminada, la subiremoa a esta web.
saludos
ms, 15-04-2004