ALERTAS EN FORO DE EMERGENCIA - 3

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:
Contactar msc hotline sat

ALERTAS EN FORO DE EMERGENCIA - 3

Mensaje por msc hotline sat » 30 Abr 2004, 16:15

NUEVA VARIANTE DEL NETSKY: CREA FICHERO CSRSS.EXE







Autor Tema

msc hotline sat

Administrator





España

5003 Mensajes Enviado el 28/04/2004 : 11:57:40

--------------------------------------------------------------------------------

Una nueva variante que posiblemente será controlada como NetSky.AB ya está corriendo por Internet a través de e-mail que anexan un fichero pif



La ejecucion de este crea un fichero CSRSS.EXE en el directorio de Windows, llamandolo desde una clave que crea a tal efecti, entre otras cosas.



Fijarse que ya existe un CSRSS.EXE del sistema operativo, pero en la carpeta de sistema (WINDOWS\SYSTEM32, mientras que el virus lo crea en el WINDIR



Ya informaremos de mas caracteristicas proximamente, pero mientras, cuidado...



saludos



ms, 28-04-2004



Virus Research Engineer









COLABORA pulsando banners, para poder seguir ofreciendo esta página

msc hotline sat

Administrator





España

5003 Mensajes Enviado el 28/04/2004 : 12:49:19

--------------------------------------------------------------------------------

McAfee ya nos ha enviado caracteristicas de la nueva variante del NetSky.AB:



____________________________________________________



Virus Name Risk Assessment

W32/Netsky.ab @ MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 04/28/2004

Origin: Unknown

Length: 17,920

Type: Virus

SubType: E-mail

Minimum DAT: 4354 (04/28/2004)

Updated DAT: 4354 (04/28/2004)

Minimum Engine: 4.2.40

Description Added: 04/28/2004

Description Modified: 04/28/2004 3:16 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This detection is for a new variant of W32/Netsky. It bears the following characteristics:

harvests email addresses from the victim machine

contains its own SMTP engine to construct outgoing messages

emails arrives as a PIF extension attachment

spoofs the From: address

Mail Propagation



The virus harvests email addresses from files on the victim machine with the following extensions:



.adb

.asp

.cfg

.cgi

.dbx

.dhtm

.doc

.eml

.htm

.html

.jsp

.mbx

.mdx

.mht

.mmf

.msg

.nch

.oft

.php

.ods

.pl

.ppt

.rtf

.sht

.shtm

.stm

.tbb

.txt

.uin

.vbs

.wab

.wsh

.xls

.xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:



From: spoofed (using harvested email addresses)

Subject: (selected from one of the following)



Correction

Hurts

Privacy

Password

Wow

Criminal

Pictures

Text

Money

Stolen

Found

Numbers

Funny

Only

love?

More

samples

Picture

Letter

Question

Illegal

Body: (selected from one of the following)



Please use the font arial!

How can I help you?

Still?

I've your password.

Take it easy!

Why do you show your body?

Hey, are you criminal?

Your pictures are good!

The text you sent to me is not so good!

True love letter?

Do you have no money?

Do you have asked me?

I've found your creditcard.

Check the data!

Are your numbers correct?

You have no chance...

Wow! Why are you so shy?

Do you have more samples?

Do you have more photos about you?

Do you have written the letter?

Does it hurt you?

Please do not sent me your illegal stuff again!!!

Attachment: (PIF extensions with one of the following filenames)



corrected_doc.pif

hurts.pif

document1.pif

passwords02.pif

image034.pif

myabuselist.pif

your_picture01.pif

your_text01.pif

your_letter.pif

your_bill.pif

my_stolen_document.pif

visa_data.pif

pin_tel.pif

your_text.pif

loveletter02.pif

all_pictures.pif

your_letter_03.pif

your_picture.pif

abuses.pif

The virus installs itself on the victim machine as CSRSS.EXE:



%WinDir%\CSRSS.EXE

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)



The following Registry key is added to hook system startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "BagleAV" = %WinDir%\CSRSS.EXE



Top of Page



Symptoms

Outgoing DNS queries to one of the following hard-coded IP addresses:

212.44.160.8

195.185.185.195

151.189.13.35

213.191.74.19

193.189.244.205

145.253.2.171

193.141.40.42

193.193.144.12

217.5.97.137

195.20.224.234

194.25.2.130

194.25.2.129

212.185.252.136

212.185.253.70

212.185.252.73

62.155.255.16

194.25.2.134

194.25.2.133

194.25.2.132

194.25.2.131

193.193.158.10

212.7.128.165

212.7.128.162

Existence of the files and Registry keys detailed above



Top of Page



Method Of Infection

This worm spreads by email, constructing messages using its own SMTP engine.



Top of Page



Removal Instructions

Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified



___________________________________________________



Se controla actualmente con el SDATDAILY de ahora, y mañana ya normalmente con los DATS 4354 de esta npche.



saludos



ms, 28-04-2004
Arriba
Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”