Details
I-Worm.NetSky.ac

This worm spreads via the Internet as an attachment to infected messages, and via shared network resources. The worm itself is a Windows PE EXE file, 17920 bytes in size, packed using PE-Patch. The unpacked file is approximately 1.5MB in size. It is written in Microsoft Visual C.
Characteristics of infected messages:
Message header (chosen at random from the following):
Question
Letter
Picture
More samples
Only love?
Funny
Numbers
Found
Stolen
Money
Letter
Text
Pictures
Criminal
Wow
Password
Privacy
Hurts
Correction
Message body (chosen at random from the following):
Does it hurt you?
Do you have written the letter?
Do you have more photos about you?
Do you have more samples?
Wow! Why are you so shy?
You have no chanceall
Are your numbers correct?
I’ve found your creditcard. Check the data!
Do you have asked me?
Do you have no money?
True love letter?
The text you sent to me is not so good!
Your pictures are good!
Hey, are you criminal?
Why do you show your body?
I’ve your password. Take it easy!
Still?
How can I help you?
Please use the font arial!
Attachment name (chosen at random from the following):
your_picture.pif
your_letter_03.pif
all_pictures.pif
your_picture.pif
loveletter02.pif
your_text.pif
pin_tel.pif
visa_data.pif
my_stolen_document.pif
your_bill.pif
your_letter.pif
your_text01.pif
your_picture01.pif
myabuselist.pif
image034.pif
passwords02.pif
document1.pif
hurts.pif
corrected_doc.pif
The worm is only activated if the user launches the infected file by clicking twice on the attachment. The worm then installs itself to the system and starts propagating.
Mass mailing
The worm uses a direct connection to the SMTP-server to send messages.
Installation
When installing, the wom copies itself to the Windows directory under the name csrss.exe and registers this file in the system registry auto-run key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BagleAV
thus attempting to disguise itself as an antivirus working against Bagle.
Other
The worm attempts to delete registry keys created by I-Worm.Bagle.y

Related Posts

This entry was posted on Friday, December 22nd, 2006 at 8:00 pm and is filed under Virus Threats.

Details
I-Worm.NetSky.aa

This worm spreads via the Internet as an attachment to infected emails.
It possesses a backdoor function, and is capable of conducting DoS attacks on Internet sites.
The worm itself is a PE EXE file of approximately 20KB, packed using UPX.
Installation
The worm copies itself to the Windows directory under the name Jammer2nd.exe, and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Jammer2nd”=”%windir%\jammer2nd.exe”
It also creates files named PK_ZIP_ALG.LOG and PK_ZIP.LOG in the Windows directory.
These files are copies of the worm in UUE format and in a ZIP archive.
The worm creates the mutex (S)(k)(y)(N)(e)(t) to flag its presence in the system.
Propagation via email
The worm searches all accessible network disks for files with the following extensions: adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
rtf
sht
shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls

and harvests email addresses from them, sending a copy of itself to all addresses found. The worm uses its own SMTP library to send messages, and attempts to establish a connection to the server receiving the infected messages.
Characteristics of infected messages
Infected messages are generated randomly from the following:
Sender’s address
Chosen at random from addresses found on the victim machine.
Message header (chosen at random from the list below)
Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information
Attachment name (chosen at random from the list below)
Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip
Attached archive files will have a name from the list below
Bill.txt.exe
Data.txt.exe
Details.txt.exe
Important.txt.exe
Informations.txt.exe
Notice.txt.exe
Part-2.txt.exe
Textfile.txt.exe
Other
The worm opens TCP port 665 on the victim machine to receive random files and execute them.
Depending on the system clock settings, the worm may conduct DoS attacks on the following sites:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de

Related Posts

This entry was posted on Friday, December 22nd, 2006 at 6:00 pm and is filed under Virus Threats.