NUEVO VIRUS NETSKY.S (REQUIERE DATS MINIMOS DE MCAFEE 4348)

Mensaje por **msc hotline sat** » 06 Abr 2004, 13:24

Una nueva variante de NetSky ha sido controlada por McAfee como S, y controlada a partir de los DATS 4348 del 7-04-2004, si bien puede ya controlarse con los DAILYDATS de hoy (DATS diarios continuos)

__________________________________________

Internet Worm Name Risk Assessment

W32/Netsky.t@MM Corporate User : Low

Home User : Low

Internet Worm Information

Discovery Date: 04/06/2004

Origin: Unknown

Length: 18,432 bytes (UPX packed)

Type: Internet Worm

SubType: E-mail worm

Minimum DAT:

Release Date: 4348

04/07/2004

Minimum Engine: 4.2.40

Description Added: 04/06/2004

Description Modified: 04/06/2004 2:15 AM (PT)

Description Menu

Internet Worm Characteristics

Symptoms

Method Of Infection

Removal Instructions

Variants / Aliases

Rate This page

Print This Page

Email This Page

Legend

Internet Worm Characteristics:

This variant of W32/Netsky is very similar to W32/Netsky.s@MM . It bears the following characteristics:

constructs messages using its own SMTP engine

harvests email addresses from the victim machine

spoofs the From: address of messages

opens a port on the victim machine (TCP 6789)

delivers a DoS attack on certain web sites upon a specific date condition

The EXTRA.DAT posted for W32/Netsky.s@MM will detect this threat as virus or variant W32/Netsky.s@MM (with the scanning of compressed files enabled).

System Changes

Just like its predecesor, the worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:

%WinDir%\EASYAV.EXE

The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

\Run "EasyAV" = %WinDir%\EASYAV.EXE

A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:

%WinDir%\UINMZERTINMDS.OPM

Remote Access Component

The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.

Top of Page

Symptoms

Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):

212.44.160.8

195.185.185.195

151.189.13.35

213.191.74.19

193.189.244.205

145.253.2.171

193.141.40.42

194.25.2.134

194.25.2.133

194.25.2.132

194.25.2.131

193.193.158.10

212.7.128.165

212.7.128.162

193.193.144.12

217.5.97.137

195.20.224.234

194.25.2.130

194.25.2.129

212.185.252.136

212.185.253.70

212.185.252.73

Existence of the files/Registry keys detailed above

TCP port 6789 open on the victim machine

Top of Page

Method Of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Top of Page

Removal Instructions

Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

__________________________________________

accesible desde:

http://vil.nai.com/vil/content/v_101161.htm

saludos

ms, 06-04-2004

Mensaje por **msc hotline sat** » 06 Abr 2004, 17:59

Habiendo aumentado de propagación, por las incidencias recibidas, MCAfee alerta especialmente de esta variante, para la que además de controlarlo con los proximos DATS 4348, puede ser controlado añadiendo el fichero EXTRA.DAT que detallamos a continuacion, en la carpeta de los ficheros DAT del antivirus de McAfee:

__________________________________________

86 178 139 180 77 51 192 130 52 232 140 159 49 204 128 88

6 195 163 250 194 105 64 188 2 214 40 126 142 49 152 179

235 49 114 185 196 54 64 188 2 214 40 244 242 55 28 177

12 50 202 85 15 204 142 244 196 54 64 188 2 214 40 199

142 49 140 179 112 204 142 87 12 51 86 178 33 160 138 179

77 51 141 179 64 105 138

7667 256 12442 334 M19

87 178 159 177 77 51 218 128 63 28 195 214 121 64 230 202

35 64 205 254 64 204 137 34 15 50 140 48 15 115 141 18

2 177 211 233 197 225 93 247 243 142 168 114 167 150 165 80

242 50 249 48 15 51 140 22 29 148 41 205 31 213 158 63

216 134 14 124 85 206 193 104 170 62 15 182 13 1 160 76

13 39 64 177 10 51 195 180

8424 256 12442 334 W32/Netsky.s@MM

88 178 159 177 77 51 218 128 63 28 195 214 121 64 230 202

35 64 205 254 64 233 140 159 242 50 249 206 142 49 137 179

204 34 146 179 198 247 69 115 219 243 90 96 205 228 40 22

253 210 120 199 204 56 114 178 235 249 70 98 205 248 92 59

252 62 15 182 13 18 150 76 14 39 64 177 10 51 195 32

10 44 205 179 13 51 233 18 10

9369 256 12442 334 W32/Netsky.s@MM

232 178 154 177 9 179 218 128 63 28 195 214 121 64 230 202

35 64 163 214 96 95 172 214 117 86 13 177 157 51 114 181

161 55 141 179 141 51 85 183 13 51 210 179 242 55 15 177

12 51 40 177 229 223 114 178 109 150 143 66 254 204 137 49

15 50 141 22 15 208 122 76 12 83 114 183 143 49 140 179

168 49 122 83 242 50 237 76 9 177 143 178 13 150 143 66

231 204 140 211 242 55 15 177 12 51 40 177 240 187 114 178

109 150 143 42 137 150 139 188 169 150 40 95 197 150 143 155

31 71 40 182 238 228 71 123 136 64 107 177 13 20 68 164

252 192 89 71 233 215 101 87 233 215 105 83 233 215 105 87

135 185 16 87 233 218 79 199 235 49 178 178 196 35 125 83

253 215 105 83 223 212 105 97 236 192 95 65 157 215 249 114

16 204 138 33 238 204 121 127 254 206 71 32 233 195 105 95

209 239 100 70 255 212 64 71 233 213 108 110 233 238 128 49

8 51 232 237 1 51 153 253 10

30624 256 12442 334 W32/Netsky.s.eml!exe

__________________________________________

Como siempre, seleccionar el script indicado entre líneas, hacer un copiar y pegar con el bloc de notas y salvarlo como EXTRA.DAT, el cual añadir a la carpeta de DATS.

Saludos

ms, 06-04-2004