__________________________________________
Virus Name Risk Assessment
W32/Netsky.z@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/21/2004
Origin: Unknown
Length: 22,016 bytes (EXE)
approx 22kB (ZIP)
Type: Virus
SubType: E-mail
Minimum DAT: 4352 (04/21/2004)
Updated DAT: 4352 (04/21/2004)
Minimum Engine: 4.2.40
Description Added: 04/21/2004
Description Modified: 04/21/2004 8:34 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This detection is for a new variant of W32/Netsky. It bears the following characteristics:
harvests email addresses from the victim machine
contains its own SMTP engine to construct outgoing messages
attaches itself within a ZIP archive to emails
spoofs the From: address
delivers a denial of service payload to certain web sites upon a date condition
Mail Propagation
The virus harvests email addresses from files on the victim machine with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.oft
.php
.ods
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:
From: spoofed (using harvested email addresses)
Subject: selected from one of the following:
Document
Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information
Attachment: ZIP archive with one of the following filenames:
Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip
The ZIP archive contains the worm. It is not password protected. The filename of the worm within the ZIP is chosen to match the subject and ZIP name:
Bill.txt (many spaces) .exe
Data.txt (many spaces) .exe
Details.txt (many spaces) .exe
Important.txt (many spaces) .exe
Informations.txt (many spaces) .exe
Notice.txt (many spaces) .exe
Part-2.txt (many spaces) .exe
Textfile.txt (many spaces) .exe
Denial of Service Payload
Upon a certain date condition, the virus targets the following domains in a denial of service attack (HTTP):
System Changes
The virus installs itself on the victim machine as JAMMER2ND.EXE:
%WinDir%\JAMMER2ND.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "Jammer2nd" = %WinDir%\JAMMER2ND.EXE
Copies of the worm in a ZIP archive (some Base64 encoded) are written to the victim machine:
PK_ZIPn.LOG
(where n is an integer).
Top of Page
Symptoms
Outgoing DNS queries to one of the following hard-coded IP addresses:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
Existence of the files and Registry keys detailed above.
Top of Page
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
_________________________________________
Es una primnicia informativa. Mañana ya lo estudiaremos y haremos la utilidad ELINETSA para su control y eliminacion.
saludos
ms, 21-04-2004l
msc hotline sat Virus Research Engineer