__________________________________________
Internet Worm Name Risk Assessment
W32/Netsky.t@MM Corporate User : Low
Home User : Low
Internet Worm Information
Discovery Date: 04/06/2004
Origin: Unknown
Length: 18,432 bytes (UPX packed)
Type: Internet Worm
SubType: E-mail worm
Minimum DAT:
Release Date: 4348
04/07/2004
Minimum Engine: 4.2.40
Description Added: 04/06/2004
Description Modified: 04/06/2004 2:15 AM (PT)
Description Menu
Internet Worm Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Internet Worm Characteristics:
This variant of W32/Netsky is very similar to W32/Netsky.s@MM . It bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
The EXTRA.DAT posted for W32/Netsky.s@MM will detect this threat as virus or variant W32/Netsky.s@MM (with the scanning of compressed files enabled).
System Changes
Just like its predecesor, the worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example:
%WinDir%\EASYAV.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "EasyAV" = %WinDir%\EASYAV.EXE
A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory:
%WinDir%\UINMZERTINMDS.OPM
Remote Access Component
The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.
Top of Page
Symptoms
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
Existence of the files/Registry keys detailed above
TCP port 6789 open on the victim machine
Top of Page
Method Of Infection
This worm spreads by email, constructing messages using its own SMTP engine.
__________________________________________
Link de acceso:
saludos
ms, 06-04-2004