Virus Name Risk Assessment
W32/Netsky.u@MM Corporate User : Low
Home User : Low
Virus Information
Discovery Date: 04/07/2004
Origin: Unknown
Length: 18,432 bytes
Type: Virus
SubType: E-mail
Minimum DAT:
Release Date: 4350
04/08/2004
Minimum Engine: 4.2.40
Description Added: 04/07/2004
Description Modified: 04/07/2004 3:43 PM (PT)
Description Menu
Virus Characteristics
Symptoms
Method Of Infection
Removal Instructions
Variants / Aliases
Rate This page
Print This Page
Email This Page
Legend
Virus Characteristics:
This variant of W32/Netsky is very similar to W32/Netsky.t@MM . It bears the following characteristics:
constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the From: address of messages
opens a port on the victim machine (TCP 6789)
delivers a DoS attack on certain web sites upon a specific date condition
Mail Propagation
Email addresses are harvested from the victim machine. Files with the following extensions are searched:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wsh
.wab
.xls
.xml
Constructed messages bear the following characteristics:
From: T his is spoofed (using harvested email addresses)
Subject: Taken from the following list
Reply
Again
It's me
Hey
Hello
Hi
Re: Hello
Re: Hi
Body: Various message bodies may be constructed using a pool of strings within the worm. (some letters have been omitted, replaced with *)
Oh, I got it!
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
Passwordlist? yours?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I 've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another sexy document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
I will send your list to the police!!!!
Hello, here.
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your s***** documents!!!
One, two three, more, I have many questions to you document!
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Hey ya, nice document. Do you have more?
Abou you?
Sexy pic abou you?
Do you have a digicam to make your private photos?
More naked...your body is sexy!
Naked, you?
Are you naked?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, naked one!
Hey, have you ever seen your photo?
Eat my s***! Your photo is bad.
Do not distribute your naked photos!
Uhaaa! naked... are you cranky?
Your are naked? Tell me more...please!
Hey, private or private..naked?
Pah!...take your private photo, naked and so, and go away.
I have sent your private photo to the police.
What is when I show your private illegal photo the police?
You? Very funny! More available?
I don't want to see your photo!
S***... your photo! naked?
Attachment: The attachment arrives as a .PIF file. The first part of the filename is constructed from one of the following strings
morepasswords
cracked_password
easypassword
yourpassword
password
passwords
pwd_list
your_password
your_pwd
yourspwd
pwd
password02
pwds04
pass01
correct_pass
listed
detailed
approvdoc
doc_ed
morestory
abuses
story
letter
sexydocument
doc
yetanotherdocument
trieddocument
posteddocument
abusedocument
illegaldocument
doc04
shortdoc
details
alldoc
document_part
anotherdocument
document3
founddocument
your_doc04
onedocument
mydocument
yourdocument
yourdoc
document
photo03
your_photo
private_pic
private_photo
about_you
your_bad_photo
xxx_yours_naked
your_private_document
private
yourpic
yournakedpic
pic04
yours
yourimage
yourphoto
yoursnaked
yours_naked
img05
not_permitted
yours_naked_img
yours_funny
Denial of Service
If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack:
System Changes
The worm installs itself on the victim machine as SYMAV.EXE in the Windows directory:
%WinDir%\SymAV.EXE
The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run "SymAV" = %WinDir%\SymAV.EXE
A base-64 encoded copy of the worm is saved to disk as F***_YOU_BAGLE.TXT (letters omitted, replaced with *) in the Windows directory:
%WinDir%\f***_you_bagle.txt
Remote Access Component
The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files.
Top of Page
Symptoms
Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
Existence of the files/Registry keys detailed above
TCP port 6789 open on the victim machine
Para este se ha hecho la utilidad ELINETSA v 2.8 que se subirá a esta web en ciuanto estén replicados los servidores de DNS con la nueva URL de zonavirus.
saludos
ms, 14-04-2004