NUEVA VARIANTE DEL NETSKY: CREA FICHERO CSRSS.EXE
Autor Tema
msc hotline sat
Administrator
España
5003 Mensajes Enviado el 28/04/2004 : 11:57:40
--------------------------------------------------------------------------------
Una nueva variante que posiblemente será controlada como NetSky.AB ya está corriendo por Internet a través de e-mail que anexan un fichero pif
La ejecucion de este crea un fichero CSRSS.EXE en el directorio de Windows, llamandolo desde una clave que crea a tal efecti, entre otras cosas.
Fijarse que ya existe un CSRSS.EXE del sistema operativo, pero en la carpeta de sistema (WINDOWS\SYSTEM32, mientras que el virus lo crea en el WINDIR
Ya informaremos de mas caracteristicas proximamente, pero mientras, cuidado...
saludos
ms, 28-04-2004
Virus Research Engineer
COLABORA pulsando banners, para poder seguir ofreciendo esta página
msc hotline sat
Administrator
España
5003 Mensajes Enviado el 28/04/2004 : 12:49:19
--------------------------------------------------------------------------------
McAfee ya nos ha enviado caracteristicas de la nueva variante del NetSky.AB:
____________________________________________________
Virus Name Risk Assessment
W32/Netsky.ab @ MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/28/2004
Origin: Unknown
Length: 17,920
Type: Virus
SubType: E-mail
Minimum DAT: 4354 (04/28/2004)
Updated DAT: 4354 (04/28/2004)
Minimum Engine: 4.2.40
Description Added: 04/28/2004
Description Modified: 04/28/2004 3:16 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This detection is for a new variant of W32/Netsky. It bears the following characteristics:
harvests email addresses from the victim machine
contains its own SMTP engine to construct outgoing messages
emails arrives as a PIF extension attachment
spoofs the From: address
Mail Propagation
The virus harvests email addresses from files on the victim machine with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.oft
.php
.ods
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml
Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:
From: spoofed (using harvested email addresses)
Subject: (selected from one of the following)
Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only
love?
More
samples
Picture
Letter
Question
Illegal
Body: (selected from one of the following)
Please use the font arial!
How can I help you?
Still?
I've your password.
Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard.
Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
Attachment: (PIF extensions with one of the following filenames)
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif
The virus installs itself on the victim machine as CSRSS.EXE:
%WinDir%\CSRSS.EXE
(%WinDir% = Windows directory, such as c:\windows or c:\winnt)
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "BagleAV" = %WinDir%\CSRSS.EXE
Top of Page
Symptoms
Outgoing DNS queries to one of the following hard-coded IP addresses:
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
62.155.255.16
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
Existence of the files and Registry keys detailed above
Top of Page
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
Top of Page
Removal Instructions
Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified
___________________________________________________
Se controla actualmente con el SDATDAILY de ahora, y mañana ya normalmente con los DATS 4354 de esta npche.
saludos
ms, 28-04-2004
ALERTAS EN FORO DE EMERGENCIA - 3
- msc hotline sat
- Mensajes: 93500
- Registrado: 09 Mar 2004, 20:39
- Ubicación: BARCELONA (ESPAÑA)
- Contactar:
ALERTAS EN FORO DE EMERGENCIA - 3
msc hotline sat Virus Research Engineer
Antes de preguntar - Normas Basicas - Mensajes Privados - Repetir Temas - Continuar Temas - Titulos del Tema - Antivirus Online
Antes de preguntar - Normas Basicas - Mensajes Privados - Repetir Temas - Continuar Temas - Titulos del Tema - Antivirus Online