Además, con la version del ELINETSA v 3.4 subida hoy a esta web (ya disponible) se elimina como los anteriores.
caracteristicas según la descripcion de McAfee:
_________________________________________
Virus Name Risk Assessment
W32/Netsky.ac@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 05/05/2004
Origin: Unknown
Length: 36,864 Bytes
Type: Virus
SubType: E-mail worm
Minimum DAT: 4358 (05/05/2004)
Updated DAT: 4358 (05/05/2004)
Minimum Engine: 4.2.40
Description Added: 05/05/2004
Description Modified: 05/05/2004 9:15 AM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This detection is for a new variant of W32/Netsky. It bears the following characteristics:
harvests email addresses from the victim machine
contains its own SMTP engine to construct outgoing messages
emails arrives as a CPL extension attachment
spoofs the From: address
Mail Propagation
The virus harvests email addresses from files on the victim machine with the following extensions:
.ppt
.nch
.mmf
.mht
.xml
.wsh
.jsp
.xls
.stm
.ods
.msg
.oft
.sht
.html
.htm
.pl
.dbx
.tbb
.adb
.dhtm
.cgi
.shtm
.uin
.rtf
.vbs
.doc
.wab
.asp
.mdx
.mbx
.cfg
.php
.txt
.eml
Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:
Attachment: (CPL extensions with one of the following filenames)
Fix_MSBlast.B_(%random digits% ) .cpl
Fix_Mydoom.F_(%random digits% ) .cpl
Fix_Bagle.AB_(%random digits% ) .cpl
Fix_Sasser.B_(%random digits% ) .cpl
Fix_NetSky.AB_(%random digits% ) .cpl
From: spoofed (using any of the following addresses):
Subject:
Escalation
Message Body:
Dear user of , %Domain Name %
We have received several abuses:
- Hundreds of infected e-Mails have been sent
from your mail account by the new Bagle.AB worm
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to distribute
itself. The backdoor that the worm opens allows remote attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at %From Address %
Note that we do not accept html email messages.
%Research Team %
Attach: (any of the CPL filenames listed as above)
Where :
%Domain Name% = The domain name from harvested email addresses from files listed above.
%From Address% = The email address in the 'From' field.
%Research Team% = Can be any one of the following:
Sophos AntiVirus Research Team
Norman AntiVirus Research Team
MCAfee AntiVirus Research Team
Norton AntiVirus Research Team
The virus contains 2 componets:
CPL file - Dropper component - (36, 864 bytes)
EXE file - The actual worm itself - (18,432 bytes)
The dropper component is copied on the victim machine as COMP.CPL:
%WinDir%\COMP.CPL
The worm component is copied on the victims machine as WSERVER.EXE:
%WinDir%\WSERVER.EXE
(%WinDir% = Windows directory, such as c:\windows or c:\winnt)
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run "wserver" = %WinDir%\wserver.exe
The virus avoids sending itself to addresses whci hcontain the following strings:
iruslis
antivir
sophos
freeav
andasoftwa
skynet
messagelabs
abuse
fbi
orton
f-pro
aspersky
cafee
orman
itdefender
f-secur
avp
spam
ymantec
antivi
icrosoft
Top of Page
Symptoms
Outgoing DNS queries to one of the following hard-coded IP addresses:
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
62.155.255.16
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
Existence of the files and Registry keys detailed above
Top of Page
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine
__________________________________________
saludos
ms, 05-05-2004