Autor Tema
msc hotline sat
Administrator
España
5003 Mensajes Enviado el 27/04/2004 : 10:25:57
--------------------------------------------------------------------------------
Además del reciente Bagle.Z, ya hay que tener en cuenta una nueva variante del NetSky, la AA, que se controlará con proximos DATS 4354, y que mientras tanto se controla con el SDATDAILY:
Descripcion de McAfee para esta nueva variante NETSKY.AA:
_____________________________________________________________________
Virus Name Risk Assessment
W32/Netsky.aa @ MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/26/2004
Origin: Unknown
Length: 17,408 Bytes
Type: Virus
SubType: Email Worm
Minimum DAT: 4354 (04/28/2004)
Updated DAT: 4354 (04/28/2004)
Minimum Engine: 4.2.40
Description Added: 04/26/2004
Description Modified: 04/26/2004 4:56 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This detection is for a new variant of W32/Netsky. It bears the following characteristics:
harvests email addresses from the victim machine
contains its own SMTP engine to construct outgoing messages
emails arrives as a PIF extension attachment
spoofs the From: address
Mail Propagation
The virus harvests email addresses from files on the victim machine with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.oft
.php
.ods
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:
From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)
Re: Advice
Re: Application
Re: Approved
Re: Bill
Re: Cheaper
Re: Contacts
Re: Demo
Re: Details
Re: Document
Re: e-Books
Re: Error
Re: Fax number
Re: Final
Re: Hello
Re: Hi
Re: Information
Re: Job
Re: Letter
Re: List
Re: Missed
Re: Movie
Re: Music
Re: Paint file
Re: Patch
Re: Photos
Re: Poster
Re: Presentation
Re: Pricelist
Re: Private
Re: Product
Re: Step by Step
Re: Summary
Re: Tel. Numbers
Re: Text
Re: Text file
Re: Thank you!
Re: War
Re: Website
Body: (selected from one of the following)
For furher details see the attached file.
Here is the file.
Please have a look at the attached file.
Please read the attached file.
Please take the attached file.
Please view the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.
Attachment: (PIF extensions with one of the following filenames)
My_Advice.pif
My_Fax_Numbers.pif
My_Telephone_Numbers.pif
Osam_Bin_Laden_Articel_42.pif
Your_Bill.pif
Your_Contacts.pif
Your_Demo.pif
Your_Description.pif
Your_Details.pif
Your_Digicam_Pictures.pif
Your_Document.pif
Your_Document_Part3.pif
Your_E-Books.pif
Your_Error.pif
Your_Excel_Document.pif
Your_Final_Document.pif
Your_Information.pif
Your_Job.pif
Your_Letter.pif
Your_List.pif
Your_Movie.pif
Your_Music.pif
Your_Paint_File.pif
Your_Patch.pif
Your_Pics.pif
Your_Poster.pif Your_Presentation.pif
Your_Pricelist.pif
Your_Private_Document.pif
Your_Product.pif
Your_Product_List.pif
Your_Software.pif
Your_Summary.pif
Your_Text.pif
Your_Text_File.pif
Your_Website.pif
System Changes
When executed, the following fake error box appears:
The virus installs itself on the victim machine as WINLOGON.SCR:
%WinDir%\WINLOGON.SCR
(%WinDir% = Windows directory, such as c:\windows or c:\winnt)
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "Skynetsrevenge" = %WinDir%\WINLOGON.SCR
Top of Page
Symptoms
Outgoing DNS queries to one of the following hard-coded IP addresses:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16
Existence of the files and Registry keys detailed above
Top of Page
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
Top of Page
Removal Instructions
Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
____________________________________________________
Evidentemente con la instalacion del SDATDAILY de hoy, se controlarán tanto el Bagle.Z como este ultimo NetSky.AA, entre los 90.300 virus que ya controlamos con ellos:
saludos
ms, 27-04-2004
Virus Research Engineer
COLABORA pulsando banners, para poder seguir ofreciendo esta página
msc hotline sat
Administrator
España
5003 Mensajes Enviado el 27/04/2004 : 16:50:17
--------------------------------------------------------------------------------
Terminada la utilidad eliminadora de este virus ELINETSA v 3.2
En cuanto tengamos acceso al foro normal, la subiremos para que pueda utilizarse
saludos
ms, 27-04-2004
msc hotline sat Virus Research Engineer