Details
I-Worm.NetSky.y

This worm spreads via the Internet as a file attached to infected messages. It is written in Microsoft Visual C++ and packed using PE_Patch+TeLock. The packed file is 26112 bytes in size, and the unpacked file is 28160 bytes in size.
Infected messages
The characteristics of infected messages vary according to domain:
Sender’s address:
hukanmikloiuo@yahoo.com
Domain “.tc”:
Message header:
Re: belge
Message body
mutlu etmek okumak belgili tanimlik belge.
Attachment name
belge.pif
Domain “.se”:
Message header
Re: dokumenten
Message body
Behaga läsa dokumenten.
Attachment name
dokumenten.pif
Domain “.fi”:
Message header
Re: dokumentoida
Message body
Haluta kuulua dokumentoida.
Attachment name
dokumentoida.pif
Domain “.pl”:
Message header
Re: udokumentowac
Message body
Podobac sie przeczytac ten udokumentowac.
Attachment name
udokumentowac.pif
Domain “.no”:
Message header
Re: dokumentet
Message body
Behage lese dokumentet.
Attachment name
dokumentet.pif
Domain “.pt”:
Message header
Re: original
Message body
Leia por favor o original.
Attachment name
original.pif
Domain “.it”:
Message header
Re: documento
Message body
Legga prego il documento.
Attachment name
documento.pif
Domain “.fr”:
Message header
Re: document
Message body
Veuillez lire le document.
Attachment name
document.pif
Domain “.de”:
Message header
Re: dokument
Message body
Bitte lesen Sie das Dokument.
Attachment name
dokument.pif
Other Domains:
Message header
Re: document
Message body
Please read the document.
Attachment name
document.pif
The worm will be activated only if the user launches the infected file by clicking twice on the attachment. The worm will then install itself on the system and start propagating.
Installation
When installing, the worm copies itself under the name FirewallSvr.exe to the Windows folder and registers this file in the system registry autorun key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FirewallSvr]
Mass mailing
The worm searches for files with the extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, É wab, harvest email addresses and then sends copies of itself to these addresses. It creates a file in the Windows directory called fuck_you_bagle.txt, and writes its body to this file. This file is then used to generate infected messages.
Remote administration
The worm opens port 82 and tracks port activity. The backdoor function makes it possible for files to be downloaded onto the victim machine.
Other
The worm is programmed to carry out DoS attacks between the 27th and 30th April on the following servers:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 4:00 pm and is filed under Virus Threats.

Details
I-Worm.Netsky.t

This worm spreads via the Internet as an attachment to infected emails.
The worm itself is a Windows PE EXE file of approximately 18KB, packed using UPX and written in Microsoft Visual C++.
Characteristics of infected messages
Message header (chosen at random from the list below)
Approved
Hello
Hi
Important
My details
Re: Approved
Re: Hello
Re: Hi
Re: Important
Re: My details
Re: Request
Re: Thanks you!
Re: Your details
Re: Your document
Re: Your information
Request
Thank you!
Your details
Your document
Your information
Message body (chosen at random from the texts below)
Approved, here is the document.
For more details see the attached document.
For more information see the attached document.
Hello!
Here is the “all”.
Here is the document.
Hi!
I have found the “…”.
I have sent the “…”.
I have spent much time for the “…”.
I have spent much time for your document.
My “…” is attached.
My “…”.
Note that I have attached your document.
Please have a look at the “…”.
Please have a look at the attached document.
Please notice the attached “…”.
Please notice the attached document.
Please read quickly.
Please read the “…”.
Please read the attached document.
Please see the “…”.
Please, “…”.
See the document for details.
Thank you
Thanks
The “…” is attached.
The “…”.
The requested “…” is attached!
Your “…” is attached.
Your “…”.
Your file is attached to this mail.
Yours sincerely
The worm inserts random characters from the list below between the quotation marks.
abuse list
account
answer
approved document
approved file
archive
bill
concept
contact list
corrected document
description
detailed document
details
developement
diggest
document
e-mail
excel document
file
final version
homepage
icq number
important document
improved document
improved file
info
information
instructions
letter
list
mail
message
movie document
new document
note
notice
number list
old document
order
personal message
phone number
photo document
picture document
postcard
powerpoint document
presentation document
release
report
requested document
sample
secound document
story
summary
text
textfile
user list
word document
Attachment
A file with a .pif extension and a randomly generated name.
The worm is activated when the user opens the attached file.
Once launched, the worm installs inself to the system and starts propagating.
Installation
When installating, the worm copies itself to the Windows directory under the name EastAV.exe and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
“EastAV”=”%windir%\EastAV.exe”
Mass mailing
The worm searches for files with the extensions listed below:
adb
asp
cfg
cgi
dbx
dhtm
doc
eml
htm
html
jsp
mbx
mdx
mht
mmf
msg
nch
ods
oft
php
pl
ppt
rtf
sht
shtm
stm
tbb
txt
uin
vbs
wab
wsh
xls
xml

harvests email addresses and sends copies of itself to all addresses found.
The worm uses its own SMTP library to send messages.
Other
The worm will attempt to conduct DoS attacks on the following sites in accordance with the system clock local settings:
www.cracks.am
www.emule.de
www.freemule.net
www.kazaa.com
www.keygen.us

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 2:00 pm and is filed under Virus Threats.

Details
I-Worm.Netsky.r

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file of approximately 26KB, packed using Petite, and written in Microsoft Visual C++.
Characteristics of infected messages:
Message header (chosen at random from the list below):
Deliver Mail
Delivered Message
Delivery
Delivery Bot
Delivery Error
Delivery Failed
Delivery Failure
Error
Failed
Failure
Mail Delivery failure
Mail Delivery System
Mail System
Server Error
Status
Unknown Exception
The recipient’s address is also shown.
Message body (chosen and compiled from the list below):
Delivery Agent - Translation failed
Delivery Failure - Invalid mail specification
Mail Delivery - This mail couldn’t be displayed
Mail Delivery Error - This mail contains unicode characters
Mail Delivery Failed - This mail couldn’t be represented
Mail Delivery Failure - This mail couldn’t be shown.
Mail Delivery System - This mail contains binary characters
Mail Transaction Failed - This mail couldn’t be converted
Note: Received message has been sent as a binary file.
Modified message has been sent as a binary attachment.
Received message has been sent as an encoded attachment.
Translated message has been attached.
Message has been sent as a binary attachment.
Received message has been attached.
Partial message is available and has been sent as a binary attachment.
The message has been sent as a binary attachment.
The text below may also be used as the message body:
Or you can view the message at: www.[recipient domain]/inmail/
[recipient name]/mread.php?sessionid-[random value]
An example of how this text might appear in the message:
Or you can view the message at: www.[kaspersky.com]/inmail/[test]/mread.php?sessionid-[4321]
Attachment name (chosen at random from the list below):
data
mail
msg
message
A random number and extension will be added to the attachment names listed above.
The worm will be activated if the user launches the infected file by clicking twice on the attachment. The worm may also send messages which exploit a vulnerability where a MIME header is incorrectly processed. This vulnerability is described in Microsoft Security Bulletin MS01-020
The worm then installs itself on the systesm and starts propagating.
Installation
When installing, the worm copies itself under the name SysMonXP.exe to the Windows directory, and registers this file in the system registry. This ensures that the file will launch each time the system is started.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[SysMonXP=%windir%\SysMonXP.exe]
It extracts a file named firewalllogger.txt from itself, and installs this to the Windows directory. When launching, the worm may open WordPad, and load a file to WordPad under the name tmp.eml.
It creates the mutex “”_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_” to flag its presence in the system. This prevents more than one copy of the worm from being launched.
The worm may also install additional copies of itself to the system under the following names:
base64.tmp
zippedbase64.tmp
zipo0.txt
zipo1.txt
zipo2.txt
zipo3.txt
Mass mailing
The worm searches for files with the extensions listed below:
a
ad
adb
as
asp
c
cf
cfg
cg
cgi
d
db
dbx
dh
dht
dhtm
do
doc
e
em
eml
h
ht,
htm
htmlj
js
jsp
m
mb
mbx
md
mdx
mh
mht
mm
mmf
ms
msg
n
nc
nch
o
od
ods
of
oftp
ph
php
pl
pp
ppt
r
rt
rtf
s
sh
sht
shtm
st
stm
t
tb
tbb
tx
txt
u
ui
uin
v
vb
vbs
w
wa
wab
ws
wsh
x
xl
xls
xm
xml

and harvests email addresses to send messages to. The worm uses its own SMTP library to send messages.
Other
The worm deletes the following keys from the Windows system registry:
Explorer
system.
msgsvr32
au.exe
winupd.exe
direct.exe
jijbl
Video
service
DELETE ME
d3dupdate.exe
OLE
Sentry
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
Microsoft IE Execute shell
Winsock2 driver
ICM version
yeahdude.exe
Microsoft System Checkup
If the local system is showing a certain date, the worm will conduct DDoS attacks on the following sites:
www.edonkey2000.com
www.kazaa.com
www.emule-project.net
www.cracks.am
www.cracks.st

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 12:00 pm and is filed under Virus Threats.

Details
I-Worm.NetSky.q

This worm spreads via the Internet as an attachment to infected messages. It is also able to propagate via P2P networks and accessible http and ftp directories.
The worm’s main component is a PE EXE file of approximately 29KB. The worm is packed using FSG; the unpacked file is approximately 40KB in size.
Installation
The worm copies itself to the Windows directory under the name fvprotect.exe and registers this file in the system registry autorun key:
[ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Norton Antivirus AV” = %windir\fvprotect.exe
The worm also creates a file named userconfig9x.dll in the Windows directory, and files with the following names:
zipped.tmp
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp
These files are copies of the worm in UEE format and ZIP archives containing copies of the worm. Files within the archive will have names chosen from the following list:
document.txt.exe
data.rtf.scr
details.txt.pif
The worm creates a mutex, “”_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_", to flag its presence in the system.
Propagation via email
The worm searches for files with any of the following extensions:
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.pl
.htm
.html
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
and sends copies of itself to email addresses harvested from these files. The worm uses its own SMTP library to send messages. The worm also attempts to establish a direct connection to the message recipient's server.
Infected messages:
Infected messages contain random combinations of the options listed below.
Sender's address:
Chosen at random from those harvested from the infected machine
Message header:
Re: Hi
Re: Hello
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Request
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Re: List
Re: Question
Re: Proof of concept
Re: Developement
Re: Message
Re: Error in document
Re: Free porn
Re: Sex pictures
Re: Submit a Virus Sample
Re: Virus Sample
Re: Old times
Re: Old photos
Re: Sample
Re: Its me
Re: Is that your document?
Re: Approved document
Re: Your document
Protected Mail System
Mail Authentication
Is that your password?
Private document
Stolen document
Mail Account
Administrator
Illegal Website
Internet Provider Abuse
Thank you!
Congratulations!
Postcard
Your day
Mail Delivery
Error
Shocking document
You cannot do that!
hi
hello
Fwd: Warning again
Notice again
Spamed?
Spam
0i09u5rug08r89589gjrg
Re: A!p$ghsa
Important m$6h?3p
Do you?
Does it matter?
News
Information
I love you!
I cannot forget you!
here
your
my
thanks!
approved
corrected
patched
improved
important
read it immediately
or a random string of characters
Message body:
Please see the attached file for details
Please read the attached file!
Your document is attached.
Please read the document.
Your file is attached.
Your document is attached.
Please confirm the document.
Please read the important document.
See the file.
Requested file.
Authentication required.
Your document is attached to this mail.
I have attached your document.
I have received your document. The corrected document is attached.
Your document.
Your details.
Please confirm!
Please answer quickly!
Thank you for your request, your details are attached!
Thanks!
am shocked about your document!
Let'us be short: you have no experience in writing letters!!!
Try this, or nothing!
Here is it!
Do not visit this illegal websites!
You have downloaded these illegal cracks?
Here is my icq list.
Here is my phone number.
I have visited this website and I found you in the spammer list. Is that true?
Are you a spammer? (I found your email on a spammer website!?!)
po44u90ugjid-k9z5894z0
9u049u89gh89fsdpokofkdpbm3-4i
Please r564g!he4a56a3haafdogu#mfn3o
SMTP Error #201
See the ghg5%&6gfz65!4Hf55d!46gfgf
Server Error #203
Your photo, uahhhall. , you are naked!
You have written a very good text, excellent, good work!
Your archive is attached.
Monthly news report.
lovely,
your big love,
I hope you accept the result!
The sample is attached!
Your important document, correction is finished!
Important message, do not show this anyone!
Here is the website.
My favourite page.
I have corrected your document.
I have attached the sample.
Your bill is attached to this mail.
You were registered to the pay system.
For more details see the attachment.
Binary message is available.
Message has been sent as a binary attachment.
Can you confirm it?
I have attached it to this mail.
Please read the attached file.
Your document is attached.
Encrypted message is available.
Protected message is attached.
Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.
I noticed that you have visited illegal websites.
See the name in the list!

You have visited illegal websites.
I have a big list of the websites you surfed.

Your mail account is expired.
See the details to reactivate it.

Your mail account has been closed.
For further details see the document.

The file is protected with the password ghj001.
I have attached your file. Your password is jkl44563.

The sample file you sent contains a new virus version of mydoom.j.
Please clean your system with the attached signature.
Sincerly,
Robert Ferrew

Greetings from france,
your friend.
Have a look at these.

Best wishes,
your friend.

Congratulations!,
your best friend.

I found this document about you.
I cannot believe that.

Try this game
I hope the patch works.
The end of the message may include the false information that the message has been scanned and flagged as clear by an antivirus product:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com

+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com

+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com

++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com

++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com

++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
There is a wide range of potential attachment names. The attached file often has a dual extension, with the first extension being .doc or .txt, and the second being one from the following list:
exe
pif
scr
zip
The worm is also able to send itself as a ZIP archive.
The worm does not send itself to addresses which contain any of the following:
@antivi
@avp
@bitdefender
@fbi
@f-pro
@freeav
@f-secur
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@

The worm may send messages which contain the IFRAME Exploit, in the same way that Klez.h and Swen did. When this happens, if the message is viewed using a vulnerable mail client, the archive file containing the worm will be launched automatically.
Propagation via P2P
The worm creates multiple copies of itself in all subdirectories which contain any of the words from the following list:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
Files created by the worm will have names chosen from the following list:
Kazaa Lite 4.0 new.exe
Britney Spears Sexy archive.doc.exe
Kazaa new.exe
Britney Spears porn.jpg.exe
Harry Potter all e.book.doc.exe
Britney sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney Spears blowjob.jpg.exe
Harry Potter e book.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter.doc.exe
Britney Spears fuck.jpg.exe
Harry Potter game.exe
Britney Spears.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Matrix.mpg.exe
Britney Spears Song text archive.doc.exe
Britney Spears full album.mp3.exe
Eminem.mp3.exe
Britney Spears.mp3.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem full album.mp3.exe
Eminem Spears porn.jpg.exe
Ringtones.mp3.exe
Eminem sex xxx.jpg.exe
Ringtones.doc.exe
Eminem blowjob.jpg.exe
Altkins Diet.doc.exe
Eminem Poster.jpg.exe
American Idol.doc.exe
Cloning.doc.exe
Saddam Hussein.jpg.exe
Arnold Schwarzenegger.jpg.exe
Windows 2003 crack.exe
Windows XP crack.exe
Adobe Photoshop 10 crack.exe
Microsoft WinXP Crack full.exe
Teen Porn 15.jpg.pif
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Best Matrix Screensaver new.scr
Porno Screensaver britney.scr
Dark Angels new.pif
XXX hardcore pics.jpg.exe
Microsoft Office 2003 Crack best.exe
Serials edition.txt.exe
Screensaver2.scr
Full album all.mp3.pif
Ahead Nero 8.exe
netsky source code.scr
E-Book Archive2.rtf.exe
Doom 3 release 2.exe
How to hack new.doc.exe
Learn Programming 2004.doc.exe
WinXP eBook newest.doc.exe
Win Longhorn re.exe
Dictionary English 2004 - France.doc.exe
RFC compilation.doc.exe
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
Keygen 4 all new.exe
Windows 2000 Sourcecode.doc.exe
Norton Antivirus 2005 beta.exe
Gimp 1.8 Full with Key.exe
Partitionsmagic 10 beta.exe
Star Office 9.exe
Magix Video Deluxe 5 beta.exe
Clone DVD 6.exe
MS Service Pack 6.exe
ACDSee 10.exe
Visual Studio Net Crack all.exe
Cracks & Warez Archiv.exe
WinAmp 13 full.exe
DivX 8.0 final.exe
Opera 11.exe
Internet Explorer 9 setup.exe
Smashing the stack full.rtf.exe
Ulead Keygen 2004.exe
Lightwave 9 Update.exe
The Sims 4 beta.exe
Other
If the worm finds the keys listed below in the system registry key
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
it will delete them.
Explorer
system.
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe
It will also delete the keys
system.
Video
from
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and the following key values, created by I-Worm.Bagle.
HKLM\SYSTEM\CurrentControlSet\Services\WksPatch
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKCR\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 10:00 am and is filed under Virus Threats.

Details
I-Worm.NetSky.o

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++. It is approximately 16KB in size and packed using UPX. The unpacked file is approximately 140KB in size.
When launched, the worm recursively scans all disks, starting with C: for files with the following extensions:
.pl
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
It sends copies of itself to email addresses harvested from these files.
The worm creates the following files:
\zip1.tmp \zip2.tmp \zip3.tmp \zip4.tmp \zip5.tmp \zip6.tmp, which contains a MIME encoded copy of the worm \zipped.tmp - a copy of the worm in a ZIP archive
It deletes the following system registry keys:
[HKLM(HKCU)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
system.
msgsvr32
au.exe
service
DELETE ME
d3dupdate.exe
OLE
Sentry
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
Installation
When launching, the worm copies itself to the Windows directory as Avprotect9x.exe. It then registers the full path to this file in the system registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NetDy = <%windir%>\VisualGuard.exe
Infected messages
Message header (compiled using one or more lines from the list below):
Re:
Re: Re:

your
my

approved
important
here
hi
hello
thanks!
approved
corrected
patched
improved
important
read it immediately
Attachment name (chosen at random from the list below):
document
file
details
information
letter
product
website
application
screensaver
bill
word document
excel document
data
message
text
document_all
Message body (chosen at random from the list below):
Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
The worm contains the following text strings:
<*>NetDy: Thanks to the S*k*y*N*e*t alias *N*e*t*S*k*y* crew for the sourcecode.
<*>NetDy: We have rewritten *N*e*t*S*k*y.
<*>NetDy: Thats a good tactic to detroy the bagle and mydoom worms.
<*>NetDy: Our group will continue the war.
<*>NetDy: Malware writers ‘,27h,’End’,27h,’ comes true.
<*>NetDy: Our Social Engineering is the best *lol* (You have no virus symantec says!).
<*>NetDy: —————————————————————————-
<*>NetDy: We are greeting all russia people!
USA SUCKS!!! AFGHAN SUCKS 2!!! BURN, SADDAM! BURN IN HELL! AND YOU, OSAMA BIN LADEN,
BURN IN THE DEVILS FIRE 2!!! SHAME ON YOU MR. BUSH!!!
Signs of infection
The worm opens a group of several ports. The port numbers are increased incrementally across the whole group every few seconds. This behaviour makes it possible to detect the worm using Kaspersky Anti-Hacker.

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 8:00 am and is filed under Virus Threats.

Details
I-Worm.Netsky.m

This worm spreads via the Internet as an attachment to infected messages.
The worm itself is a Windows PE EXE file, written in Microsoft Visual C++. It is approximately 16KB in size and packed using UPX. The unpacked file is approximately 140KB in size.
When launched, the worm recursively scans all disks, starting with C: for files with the following extensions:
adb
asp
cgi
dbx
dhtm
doc
eml
htm
html
jsp
msg
oft
php
pl
rtf
sht
shtm
tbb
txt
uin
vbs
wab
wsh
xml
It sends copies of itself to email addresses harvested from these files.
Installation
When launching, the worm copies itself to the Windows directory as Avprotect9x.exe. It then registers the full path to this file in the system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:]
9xHtProtect = \AVprotect9x.exe
This ensures that the worm will be launched each time Windows is started.
Infected messages
Message header;
Re: <%s> Approved
Re: <%s> Details
Re: <%s> Document
Re: <%s> Improved
Re: <%s> Information
Re: <%s> My details
Re: <%s> My document
Re: <%s> My file
Re: <%s> My information
Re: <%s> Requested document
Re: <%s> Requested file
Re: <%s> Your details
Re: <%s> Your document
Attachment name:
%s
articel_%s
detailed_%s
details_%s
doc_%s
document_%s
file_%s
improved_%s
message_%s
picture_%s
word_doc_%s
your_document_%s
your_file_%s
Message body:
%s is attached.
Authentification for %s required.
Details for %s.
Document %s.
I have attached your document %s.”
I have received your document. The improved document %s is attached.
Please confirm the document %s.
Please read the attached file %s.
Please read the document %s.
Please read the important message msg_%s.
Please see the attached file %s for details.
Requested file %s.
See the file %s.
Your document %s is attached to this mail.
Your document %s is attached.
Your file %s is attached.
Signs of infection
The worm opens a group of several ports. The port numbers are increased incrementally across the whole group every few seconds. This behaviour makes it possible to detect the worm by using Kaspersky Anti-Hacker.

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 6:00 am and is filed under Virus Threats.

Details
I-Worm.NetSky.e
This worm spreads via the Internet as a file attached to infected messages. The worm itself is a PE EXE file of approximately 23KB, packed using Petite. The unpacked file is approximately 39KB in size.
This program is simply an insignificant reworking of I-Worm.NetSky.c.
The name of the files the worm creates in the system registry auto-run key are identical to those created by NetSky.c.
The only way in which the worm differs from previous versions is that the list of extensions used for attached files has had two values added to it, and the fact that the worm does not copy itself to directories containing the word shar.

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 4:00 am and is filed under Virus Threats.

Details
I-Worm.NetSky.d
This worm spreads via the Internet as a file attached to infected messages.
The worm is a Windows PE EXE file, of approximately 17424 bytes, written in Microsoft Visual C++. It is packed using Petite. The unpacked file is approximately 27KB in size.
Infected messages
Message header, chosen at random from the list below:
Re: Approved
Re: Details
Re: Excel file
Re: Hello
Re: Here
Re: Here is the document
Re: Hi
Re: My details
Re: Re: Document
Re: Re: Message
Re: Re: Re: Your document
Re: Re: Thanks!
Re: Thanks!
Re: Word file
Re: Your archive
Re: Your bill
Re: Your details
Re: Your document
Re: Your letter
Re: Your music
Re: Your picture
Re: Your product
Re: Your software
Re: Your text
Re: Your website
Message body, chosen at random from the list below:
Here is the file.
Please have a look at the attached file
Please read the attached file.
See the attached file for details.
Your document is attached.
Your file is attached.
Attachment name, chosen at random from the list below:
all_document.pif
application.pif
document.pif
document_4351.pif
document_excel.pif
document_full.pif
document_word.pif
message_details.pif
message_part2.pif
mp3music.pif
my_details.pif
your_archive.pif
your_bill.pif
your_details.pif
your_document.pif
your_file.pif
your_letter.pif
your_product.pif
your_text.pif
your_website.pif
yours.pif
The worm is activated only if the user executes the infected file by double clicking on the attachment. The worm then installs itself to the system, and starts propagating.
Installation
When installing, the worm copies itself to the Windows directory under the name winlogon.exe and registers this file in the system registry auto-run key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Sending messages
To harvest email addresses, the worm searches for files with the following extensions:
adb
asp
dbx
doc
eml
htm
html
msg
oft
php
pl
rtf
sht
tbb
txt
uin
vbs
wab
and sends a copy of itself to all addresses found in these files. The worm uses its own SMTP engine to send messages.
It attempts to send itself via the following SMTP servers:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16
Deletion of Mydoom
In a similar way to several other worms, Netsky.d is programmed to delete Mydoom from the infected machine. It searches the following branches of the system registry for the Explorer and Taskmon keys:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
and also deletes the following key:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Other
The worm deletes the keys KasperskyAv and system from the system registry.

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 2:00 am and is filed under Virus Threats.

Details
I-Worm.NetSky.c
This worm spreads via the Internet as a file attached to infected messages. The worm itself is a PE EXE file of approximately 23KB, packed using Petite. The unpacked file is approximately 39KB in size.
Several other versions of this worm exist, and these were packed using ASPack and other utilities. However, this version packed using Petite is the only one which has managed to propagate.
Installation
The worm copies itself to the Windows directory under the name winlogon.exe and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ICQ Net” = “%windir%\winlogon.exe -stealth”
The worm also creates a unique mutex [SkyNet.cz]SystemsMutex to flag its presence in memory. The worm creates copies of itself in all sub-directories on disks C: to Z: which have the word shar in their names. The copies are saved under names from the following list:
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
ACDSee 9.exe
Adobe Photoshop 9 full.exe
Adobe Premiere 9.exe
Ahead Nero 7.exe
Best Matrix Screensaver.scr
Clone DVD 5.exe
Cracks & Warez Archive.exe
Dark Angels.pif
Dictionary English - France.doc.exe
DivX 7.0 final.exe
Doom 3 Beta.exe
E-Book Archive.rtf.exe
Full album.mp3.pif
Gimp 1.5 Full with Key.exe
How to hack.doc.exe
IE58.1 full setup.exe
Keygen 4 all appz.exe
Learn Programming.doc.exe
Lightwave SE Update.exe
Magix Video Deluxe 4.exe
Microsoft Office 2003 Crack.exe
Microsoft WinXP Crack.exe
MS Service Pack 5.exe
Norton Antivirus 2004.exe
Opera.exe
Partitionsmagic 9.0.exe
Porno Screensaver.scr
RFC Basics Full Edition.doc.exe
Screensaver.scr
Serials.txt.exe
Smashing the stack.rtf.exe
Star Office 8.exe
Teen Porn 16.jpg.pif
The Sims 3 crack.exe
Ulead Keygen.exe
Virii Sourcecode.scr
Visual Studio Net Crack.exe
Win Longhorn Beta.exe
WinAmp 12 full.exe
Windows Sourcecode.doc.exe
WinXP eBook.doc.exe
XXX hardcore pic.jpg.exe
The worm also creates several copies in zip format.
Propagation
The worm searches for files with extensions from the following list:
adb
asp
cgi
dbx
dhtm
doc
eml
htm
html
msg
oft
php
pl
rtf
sht
shtm
tbb
txt
uin
vbs
wab
harvests email addresses from these files, and sends a copy of itself to these addresses. The worm uses its own SMTP library to send messages, and attempts to establish a direct connection to the message recipient’s server. If this attempt is unsuccessful, the worm attempts to send the message via one of the servers defined in the worm’s code:
145.253.2.171
151.189.13.35
193.141.40.42
193.189.244.205
193.193.144.12
193.193.158.10
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
195.185.185.195
195.20.224.234
212.185.252.136
212.185.252.73
212.185.253.70
212.44.160.8
212.7.128.162
212.7.128.165
213.191.74.19
217.5.97.137
62.155.255.16
Infected messages:
Infected messages have the following characteristics, chosen at random from the options below:
Message header:
believe me
dear
Delivery Failed
denied!
error
exception
excuse me
fake?
good morning
hello
Here is it
hey
hi
illegalall
I’m back!
important
info
its me
last chance!
lol
moin
notice!
notification
private?
question
Question
re:
Re: <5664ddff?$???2>
Re: does it?
Re: does it?
Re: excuse me
Re: hello
Re: hey
Re: hi
Re: important
Re: information
Re: Re: Re: Re:
Re: unknown
read it immediatelly
report
something for you
Status
stolen
take it
trust me
warning
what’s up?
Yep
you?
or the message header is left blank.
Message body:
<<>>
<...>












*lol*

?
09580985869gj
a crazy doc about you
abuse?
account?
already?
another pic, have fun! … :->
Antispam is turned off. See file!
are you a photographer?
are you a teacherin the picture?
are you cranky?
are you the naked one?
are you the naked person!
are you the one?
Attached Msg
attachi#
Authentification required. Read the att…
bad gateway
be mad?
best?
bob the builder
child or adult?
child porn?
classroom test of you?
copyright?
correct it!
did you ask me for that?
did you know from this document?
did you know that?
did you see her already?
did you sent it to me?
do not give up!
do not open the attachment!
do not show this anyone!
do not use my document!
do not visit the pages on the list I se…
do you have an orgasm in the picture?
do you have sex in the picture?
do you have the bug also?
do you have?
do you know the thief?
do you know this????
do you think so?
doc about me?
doc?
docs?
does it belong to you?
does it belong to you?
does it match?
does it matter?
drugs? …
excellent!
explain!
fast food…
feel free to use it
File is bad.
File is damaged.
File is self-decryting.
forgotten?
from the chatter (my photo!)
from your lover
gonna?
good work!
great job!
great xxx!
great!
greetings
help attached
her.
here is it.
here is my advice
here is my photo!
here is the $%%454$
here is the
here is the document.
here is the next one!
here is yours!
here, the cheats
here, the introduction
here, the serials
how?
i am desperate
i am speachless about your document!
I don’t know your document!
i don’t think so.
i don’t want your xxx pics!
i found that about you!
i found this document about you.
i have received this.
I have your password!
i hope thats not true!
i know your document!
i like your doc!
i lost that
i need you!
i saw you last week!
I ‘ve found your bill!
I wait for an answer!
i wait for your comment about it.
i want more…
illegal st. of you?
important?
in your mind?
incest?
information about you?
Instant patches
instruct me about this!
is that criminal?
is that possible?
is that the reality?
is that true?
is that your account?
is that your account?
is that your attachment?
is that your beast?
is that your car?
is that your car?
is that your cd?
is that your creditcard?
is that your domain?
is that your family?
is that your finger?
is that your message?
is that your name?
is that your photo?
is that your porn pic?
is that your privacy?
is that your slip?
is that your TAN?
is that your website?
is that your wife?
is that your work?
is that yours?
is the pic a fake?
is this information about you?
it’s a secret!
its private from me
it’s so similar as yours!
i’ve found it about you
kill him on the picture!
kill the writer of this document!
let it!
lets talk about it!
Login required! Read the attachment!
love letter?
man or women?
meaning of that?
message?
Microsoft
misc. and so on. see you!
modifications?
money?
msg
my advice….
never!
new patch is available!
ok…
old photos about you?
only encrypted!
pages?
personal message!
picture?
poor quality!
possible?
pretty pic about you?
pwd?
read it immediately!
read the details.
really?
reply
scanned by norton antivirus
schoolfriend?
see this!
see your name!
solve the problem!
something about you!
something is going …
something is going wrong!
something is not ok
stuff about you?
such as yours?
take it easy!
tell me more about your document!
test it
that is interesting…
that’s a funny text.
that’s not the truth?
thats wrong!
the information is wrong!
the truth?
this file is bad!
this is an attachment message!
this is nothing for kids!
time to fear?
Transaction failed. Show the doc!
trial?
try this patch!
Warning from the Government
what do you think about it?
what means that?
what still?
what?
who?
why should I?
why?
wrong calculation! (see the attachment!…
xxx ?
xxx about you?
xxx service
yes.
you are a bad writer
you are bad
You are infected. Read the details!
you are naked in this document!
you are sexy in this doc!
you cannot hide yourself! (see photo)
you earn money, see the attachment!
you feel the same.
you have a sexy body in the pic!
you have done a mistake in the document…
you have tried to steal!
you look like an ape!
you look like an rat?
you won the rk!
your account is expired!
your are naked?
your attachment? verify it.
Your bill.
your body?
your design is not good!
your document is not good
your document is silly!
your eyes?
your face?
your hero in the picture?
your icq number?
your job? (I found that!)
your lie is going around the world!
your name is wrong!
your personal record?
your photo is poor
Your provider will be disabled!
your TAN number?
yours?
or the message body will be left blank.
Attachment:
aboutyou
associal
attach2
attachment
auction
bill
birth
card
class_photos
concert
creditcard
death
description
details
dinner
disco
doc
doc_ang
document
final
found
freaky
friend
id
image
important
incest
information
injection
intimate stuff
jokes
letter
location
mail2
mails
masturbation
material
me
message
misc
moonlight
more
msg
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
number_phone
object
old_photos
part2
party
paypal
pic
portmoney
poster
posting
privacy
product
ps
ranking
regards
regid
release
response
schock
secrets
sexual
sexy
shower
story
stuff
swimmingpool
talk
tear
textfile
topseller
transfer
trash
undefinied
unfolds
update
violence
visa
warez
webcam
website
wife
word_doc
worker
your_stuff
yours
yours
The attached file will have one of the following extensions:
doc
htm
rtf
txt
or a double extension. In this case, the second extension will be one of the following:
com
exe
scr
pif
The worm also sends itself as a Zip file.
Other
The worm deletes the following keys from the Windows system directory:
DELETE ME
Explorer
KasperskyAV
msgsvr32
Sentry
service
System.
Taskmon
Windows Services Host
Windows Services Host

HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKLM\System\CurrentControlSet\Services\WksPatch
and the following key values:
au.exe
d3dupdate.exe
OLE
If the local system date shows 27th February or later, and the local system time shows between 6am and 9am, the worm attempts to emit sounds using the system speakers.

Related Posts

This entry was posted on Saturday, December 23rd, 2006 at 12:00 am and is filed under Virus Threats.

Details
I-Worm.NetSky.b
(Also known as Moodown.b) This worm spreads via the Internet as a file attached to infected emails. The worm itself is a PE EXE file of approximately 21KB, compressed using UPX. The size of the decompressed file is approximately 40KB.
Installation
Once launched, the worm displays a false error message on the screen: ‘The file could not be opened’.

The worm copies itself to the Windows directory under the name ’services.exe’ and registers this file in the system registry auto-run key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“service” = “%windir%\services.exe -serv”
The worm also creates the unique identifier ‘AdmSkynetJklS003′ to flag its presence in memory.
The worm creates a number of copies of itself in all sub-directories on disks c to Z which contain the word ’share’ or ’sharing’ in the directory name. The copies will be under names chosen from the following list:
winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angels.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my pussy.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif
It also makes a number of copies in ZIP format, with names chosen from the following list:
document
msg
doc
talk
message
creditcard
details
attachment
me
stuff
posting
textfile
concert
information
note
bill
swimmingpool
product
topseller
ps
shower
aboutyou
nomoney
found
story
mails
website
friend
jokes
location
final
release
dinner
ranking
object
mail2
part2
disco
party
misc
#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!
Propagation
The worm finds files with extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs and wab, searches them for email addresses and sends a copy of itself to the addresses found. The worm uses its own SMTP library to send messages.
Infected messages have message headers and subject text chosen at random from the following list:
Message header:
Hi
hi
hello
read it immediately
something for you
warning
information
stolen
fake
unknown
Message body:
AnythingOk?
anything ok?
what does it mean?
ok
i’m waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that’s funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
Deletion of the Mydoom worm
Moodown.b is similar to some others in that it contains a function which deletes Mydoom from machines infected by this worm. To do this, it finds the ‘Explorer’ and ‘Taskmon’ keys in the following branches:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
also deletes the following key:
[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]
Other
The worm deletes the ‘KasperskyAv’ and ’system.’ keys from the Windows registry.

Related Posts

This entry was posted on Friday, December 22nd, 2006 at 10:00 pm and is filed under Virus Threats.