__________________________________________
Virus Name Risk Assessment
W32/Netsky.x@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/20/2004
Origin: Unknown
Length: 26,112 Bytes
Type: Virus
SubType: E-mail worm
Minimum DAT: 4348 (04/06/2004)
Updated DAT: 4348 (04/06/2004)
Minimum Engine: 4.2.40
Description Added: 04/20/2004
Description Modified: 04/20/2004 7:28 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This worm is detected with current DATs as W32/Netsky.gen@MM with scanning compressed files enabled. Specific detection will be added to the 4352 DATs.
It bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
delivers a DoS attack on certain web sites.
Mail Propagation
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wsh
.wab
.xls
.xml
Subject : (Taken from the following list ):
Re: document
Re: belge
Re: dokumenten
Re: dokumentoida
Re: udokumentowac
Re: dokumentet
Re: original
Re: documento
Re: dokument
Body: (Taken from the following list) :
Please read the document
Bitte lesen Sie das Dokument.
Veuillez lire le document.
Legga prego il documento.
Leia por favor o original.
Behage lese dokumentet.
Podobac sie przeczytac ten udokumentowac.
Haluta kuulua dokumentoida.
mutlu etmek okumak belgili tanimlik belge.
System Changes
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
%WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
%WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
%WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
%WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
System Changes
The worm installs itself on the victim machine as FirewallSvr.exe in the Windows directory:
%WinDir%\FirewallSvr.exe
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "FirewallSvr" = %WinDir%\FirewallSvr.exe
A base64 encoded version of the worm is also dropped into the %Windir% folder.
For Example: C:\Winnt\f**k_you_bagle.txt
Denial of Service
If the local system date is between April 28th and April 30th , it targets the following remote servers in a denial of service attack:
Top of Page
Symptoms
Existence of files and registry keys as mentioned above
Unexpected network traffic
Outgoing DNS queries to one of the following hard-coded IP addresses
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
__________________________________________
Mañana subiremos a esta web la version 3.0 del ELINETSA, que ya controlará y eliminará dicha variante.
saludos
ms, 20-04-2004