NUEVA VARIANTE AC DEL VIRUS NETSKY CONTROLADA POR DATS 4358

Cerrado
Avatar de Usuario
msc hotline sat
Mensajes: 93500
Registrado: 09 Mar 2004, 20:39
Ubicación: BARCELONA (ESPAÑA)
Contactar:

NUEVA VARIANTE AC DEL VIRUS NETSKY CONTROLADA POR DATS 4358

Mensaje por msc hotline sat » 05 May 2004, 19:59

McAfee informa de una nueva variante AV del NetSky, ya controlada con los DATS 4358 de esta noche.



Además, con la version del ELINETSA v 3.4 subida hoy a esta web (ya disponible) se elimina como los anteriores.



caracteristicas según la descripcion de McAfee:

_________________________________________



Virus Name Risk Assessment

W32/Netsky.ac@MM Corporate User : Low

Home User : Low







Virus Information

Discovery Date: 05/05/2004

Origin: Unknown

Length: 36,864 Bytes

Type: Virus

SubType: E-mail worm

Minimum DAT: 4358 (05/05/2004)

Updated DAT: 4358 (05/05/2004)

Minimum Engine: 4.2.40

Description Added: 05/05/2004

Description Modified: 05/05/2004 9:15 AM (PT)

Description Menu

Virus Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend







Virus Characteristics:

This detection is for a new variant of W32/Netsky. It bears the following characteristics:



harvests email addresses from the victim machine

contains its own SMTP engine to construct outgoing messages

emails arrives as a CPL extension attachment

spoofs the From: address

Mail Propagation



The virus harvests email addresses from files on the victim machine with the following extensions:



.ppt

.nch

.mmf

.mht

.xml

.wsh

.jsp

.xls

.stm

.ods

.msg

.oft

.sht

.html

.htm

.pl

.dbx

.tbb

.adb

.dhtm

.cgi

.shtm

.uin

.rtf

.vbs

.doc

.wab

.asp

.mdx

.mbx

.cfg

.php

.txt

.eml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:



Attachment: (CPL extensions with one of the following filenames)



Fix_MSBlast.B_(%random digits% ) .cpl

Fix_Mydoom.F_(%random digits% ) .cpl

Fix_Bagle.AB_(%random digits% ) .cpl

Fix_Sasser.B_(%random digits% ) .cpl

Fix_NetSky.AB_(%random digits% ) .cpl



From: spoofed (using any of the following addresses):



support@sophos.com

support@norman.com

support@nai.com

support@symantec.com



Subject:



Escalation



Message Body:



Dear user of , %Domain Name %





We have received several abuses:



- Hundreds of infected e-Mails have been sent

from your mail account by the new Bagle.AB worm

- Spam email has been relayed by the backdoor

that the virus has created



The malicious file uses your mail account to distribute

itself. The backdoor that the worm opens allows remote attackers

to gain the control of your computer. This new worm

is spreading rapidly around the world now

and it is a serios new threat that hits users.



Due to this, we are providing you to remove the

infection on your computer and to

stop the spreading of the malware with a

special desinfection tool attached to this mail.



If you have problems with the virus removal file,

please contact our support team at %From Address %

Note that we do not accept html email messages.





%Research Team %

Attach: (any of the CPL filenames listed as above)









Where :



%Domain Name% = The domain name from harvested email addresses from files listed above.



%From Address% = The email address in the 'From' field.



%Research Team% = Can be any one of the following:



Sophos AntiVirus Research Team

Norman AntiVirus Research Team

MCAfee AntiVirus Research Team

Norton AntiVirus Research Team





The virus contains 2 componets:



CPL file - Dropper component - (36, 864 bytes)

EXE file - The actual worm itself - (18,432 bytes)

The dropper component is copied on the victim machine as COMP.CPL:



%WinDir%\COMP.CPL

The worm component is copied on the victims machine as WSERVER.EXE:



%WinDir%\WSERVER.EXE

(%WinDir% = Windows directory, such as c:\windows or c:\winnt)



The following Registry key is added to hook system startup:



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run "wserver" = %WinDir%\wserver.exe



The virus avoids sending itself to addresses whci hcontain the following strings:



iruslis

antivir

sophos

freeav

andasoftwa

skynet

messagelabs

abuse

fbi

orton

f-pro

aspersky

cafee

orman

itdefender

f-secur

avp

spam

ymantec

antivi

icrosoft





Top of Page



Symptoms



Outgoing DNS queries to one of the following hard-coded IP addresses:





212.44.160.8

195.185.185.195

151.189.13.35

213.191.74.19

193.189.244.205

145.253.2.171

193.141.40.42

193.193.144.12

217.5.97.137

195.20.224.234

194.25.2.130

194.25.2.129

212.185.252.136

212.185.253.70

212.185.252.73

62.155.255.16

194.25.2.134

194.25.2.133

194.25.2.132

194.25.2.131

193.193.158.10

212.7.128.165

212.7.128.162



Existence of the files and Registry keys detailed above



Top of Page



Method Of Infection

This worm spreads by email, constructing messages using its own SMTP engine



__________________________________________



saludos



ms, 05-05-2004

Cerrado

Volver a “ALERTAS VIRICAS y utilidades de eliminacion”