-
msc hotline sat
- Mensajes: 93500
- Registrado: 09 Mar 2004, 20:39
- Ubicación: BARCELONA (ESPAÑA)
-
Contactar:
Mensaje
por msc hotline sat » 06 Abr 2004, 13:24
Una nueva variante de NetSky ha sido controlada por McAfee como S, y controlada a partir de los DATS 4348 del 7-04-2004, si bien puede ya controlarse con los DAILYDATS de hoy (DATS diarios continuos)
__________________________________________
Internet Worm Name Risk Assessment
W32/Netsky.t@MM Corporate User : Low
Home User : Low
Internet Worm Information
Discovery Date: 04/06/2004
Origin: Unknown
Length: 18,432 bytes (UPX packed)
Type: Internet Worm
SubType: E-mail worm
Minimum DAT:
Release Date: 4348
04/07/2004
Minimum Engine: 4.2.40
Description Added: 04/06/2004
Description Modified: 04/06/2004 2:15 AM (PT)
Description Menu
Internet Worm Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Internet Worm Characteristics:
This variant of W32/Netsky is very similar to W32/Netsky.s@MM . It bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
The EXTRA.DAT posted for W32/Netsky.s@MM will detect this threat as virus or variant W32/Netsky.s@MM (with the scanning of compressed files enabled).
System Changes
Just like its predecesor, the worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:
%WinDir%\EASYAV.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "EasyAV" = %WinDir%\EASYAV.EXE
A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:
%WinDir%\UINMZERTINMDS.OPM
Remote Access Component
The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.
Top of Page
Symptoms
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
Existence of the files/Registry keys detailed above
TCP port 6789 open on the victim machine
Top of Page
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
Top of Page
Removal Instructions
Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
__________________________________________
accesible desde:
http://vil.nai.com/vil/content/v_101161.htm
saludos
ms, 06-04-2004
Última edición por
msc hotline sat el 06 Abr 2004, 18:11, editado 1 vez en total.
-
msc hotline sat
- Mensajes: 93500
- Registrado: 09 Mar 2004, 20:39
- Ubicación: BARCELONA (ESPAÑA)
-
Contactar:
Mensaje
por msc hotline sat » 06 Abr 2004, 17:59
Habiendo aumentado de propagación, por las incidencias recibidas, MCAfee alerta especialmente de esta variante, para la que además de controlarlo con los proximos DATS 4348, puede ser controlado añadiendo el fichero EXTRA.DAT que detallamos a continuacion, en la carpeta de los ficheros DAT del antivirus de McAfee:
__________________________________________
86 178 139 180 77 51 192 130 52 232 140 159 49 204 128 88
6 195 163 250 194 105 64 188 2 214 40 126 142 49 152 179
235 49 114 185 196 54 64 188 2 214 40 244 242 55 28 177
12 50 202 85 15 204 142 244 196 54 64 188 2 214 40 199
142 49 140 179 112 204 142 87 12 51 86 178 33 160 138 179
77 51 141 179 64 105 138
7667 256 12442 334 M19
87 178 159 177 77 51 218 128 63 28 195 214 121 64 230 202
35 64 205 254 64 204 137 34 15 50 140 48 15 115 141 18
2 177 211 233 197 225 93 247 243 142 168 114 167 150 165 80
242 50 249 48 15 51 140 22 29 148 41 205 31 213 158 63
216 134 14 124 85 206 193 104 170 62 15 182 13 1 160 76
13 39 64 177 10 51 195 180
8424 256 12442 334 W32/Netsky.s@MM
88 178 159 177 77 51 218 128 63 28 195 214 121 64 230 202
35 64 205 254 64 233 140 159 242 50 249 206 142 49 137 179
204 34 146 179 198 247 69 115 219 243 90 96 205 228 40 22
253 210 120 199 204 56 114 178 235 249 70 98 205 248 92 59
252 62 15 182 13 18 150 76 14 39 64 177 10 51 195 32
10 44 205 179 13 51 233 18 10
9369 256 12442 334 W32/Netsky.s@MM
232 178 154 177 9 179 218 128 63 28 195 214 121 64 230 202
35 64 163 214 96 95 172 214 117 86 13 177 157 51 114 181
161 55 141 179 141 51 85 183 13 51 210 179 242 55 15 177
12 51 40 177 229 223 114 178 109 150 143 66 254 204 137 49
15 50 141 22 15 208 122 76 12 83 114 183 143 49 140 179
168 49 122 83 242 50 237 76 9 177 143 178 13 150 143 66
231 204 140 211 242 55 15 177 12 51 40 177 240 187 114 178
109 150 143 42 137 150 139 188 169 150 40 95 197 150 143 155
31 71 40 182 238 228 71 123 136 64 107 177 13 20 68 164
252 192 89 71 233 215 101 87 233 215 105 83 233 215 105 87
135 185 16 87 233 218 79 199 235 49 178 178 196 35 125 83
253 215 105 83 223 212 105 97 236 192 95 65 157 215 249 114
16 204 138 33 238 204 121 127 254 206 71 32 233 195 105 95
209 239 100 70 255 212 64 71 233 213 108 110 233 238 128 49
8 51 232 237 1 51 153 253 10
30624 256 12442 334 W32/Netsky.s.eml!exe
__________________________________________
Como siempre, seleccionar el script indicado entre líneas, hacer un copiar y pegar con el bloc de notas y salvarlo como EXTRA.DAT, el cual añadir a la carpeta de DATS.
Saludos
ms, 06-04-2004