Name:Worm/NetSky.C
Entdeckt am:25/02/2004
Art:Worm
In freier Wildbahn:Ja
Gemeldete Infektionen:Mittel
Verbreitungspotenzial:Mittel
Schadenspotenzial:Niedrig
Statische Datei:Ja
Dateigröße:25.353 Bytes
MD5 Prüfsumme:0e17dbec1904b7c10614bfb29ef758fd
VDF Version:6.24.00.19

 Allgemein Verbreitungsmethoden:
   • Email
   • Peer to Peer


Aliases:
   •  Symantec: W32.Netsky.C@mm
   •  Mcafee: W32/Netsky.c@MM
   •  Kaspersky: Win32/Netsky.worm.25352
   •  TrendMicro: WORM_NETSKY.C
   •  F-Secure: W32/Netsky.C@mm
   •  Sophos: W32/Netsky-C
   •  Grisoft: I-Worm/Netsky.C
   •  VirusBuster: I-Worm.Netsky.C
   •  Bitdefender: Win32.NetSky.C@mm


Betriebsysteme:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows 2000
   • Windows XP


Auswirkungen:
   • Setzt Sicherheitseinstellungen herunter
   • Änderung an der Registry

 Dateien Eine Kopie seiner selbst wird hier erzeugt:
   • %WINDIR%\winlogon.exe

 Registry Der folgende Registryschlüssel wird hinzugefügt um den Prozess nach einem Neustart des Systems erneut zu starten.

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • "ICQ Net"="%WINDIR%\winlogon.exe -stealth"



Die Werte der folgenden Registry keys werden gelöscht:

–  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • DELETE ME
   • Explorer
   • KasperskyAv
   • msgsvr32
   • Sentry
   • service
   • System
   • TaskMon
   • Windows Services Host

–  HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   • au.exe
   • d3dupdate.exe
   • Explorer
   • KasperskyAv
   • OLE
   • TaskMon
   • Windows Services Host

 Email Die Malware verfügt über eine eigene SMTP engine um Emails zu versenden. Hierbei wird die Verbindung mit dem Zielserver direkt aufgebaut. Die Einzelheiten sind im Folgenden aufgeführt:


Von:
Die Absenderadresse wurde gefälscht.


An:
– Email Adressen welche in ausgewählten Dateien auf dem System gefunden wurden.
– Gesammelte Adressen aus dem Internet


Betreff:
Eine der folgenden:
   • "notification"; "denied!"; "Question"; "believe me"; "Re: hello"; "Re:
      important"; "Re: hi"; "excuse me"; "Re: hey"; "exception"; "something
      for you"; "you?"; "Re: Re: Re: Re:"; "re:"; "take it"; "error";
      "illegal..."; "good morning"; "private?"; "stolen"; "Here is it"; "Re:
      information"; "info"; "what's up?"; "moin"; "warning"; "fake?"; "Re:
      unknown"; "dear"; "hello"; "important"; "Yep"; "Re: does it?"; "read
      it immediatelly"; "Re: excuse me"; "hey"; "trust me"; "question";
      "report"; "Status"; "Delivery Failed"; "< Attachment from Poland
      >"; "ok..."; "help attached"; "what means that?"; "< Server Error
      >"; "< Message Error >"; "< Deliver Error >"; "notice!";
      "its me"; "I'm back!"; "last chance!"; "lol"; "Re: < 5664ddff?$??
      >"



Body:
Der Body der Email ist einer der folgenden:
   • "Instant patches."
   • "Your provider will be disabled!"
   • "tell me more about your document!"
   • "explain!"
   • "do not visit the pages on the list I sent!"
   • "do not open the attachment!"
   • "do not use this creditcard!"
   • "do not use my document!"
   • "solve the problem!"
   • "Authentification required. Read the attachment!"
   • "Antispam is turned off. See file!"
   • "is the pic a fake?"
   • "your document is silly!"
   • "Login required! Read the attachment!"
   • "feel free to use it."
   • "here is the "
   • "here is my photo!"
   • "here is my advice."
   • "You are infected. Read the details!"
   • "see your name!"
   • "I 've found your bill!"
   • "Transaction failed. Show the doc!"
   • "< Attachment Signature 34933920 >"
   • "< Click the attachment to decrypt >"
   • "do you have an orgasm in the picture?"
   • "try this patch!"
   • "Your bill."
   • "fast food..."
   • "Microsoft"
   • "in your mind?"
   • "this is an attachment message!"
   • "new patch is available!"
   • "do not show this anyone!"
   • "its private from me"
   • "you have done a mistake in the document!"
   • "are you a photographer?"
   • "do you know the thief?"
   • "lets talk about it!"
   • "< Antispam complete >"
   • "< Transfer complete >"
   • "your lie is going around the world!"
   • "you have a sexy body in the pic!"
   • "do you have sex in the picture?"
   • "does it belong to you?"
   • "are you the one?"
   • "are you the naked person!"
   • "are you the naked one?"
   • "is that your domain?"
   • "is that your slip?"
   • "is that your beast?"
   • "is that your family?"
   • "is that your work?"
   • "is that your porn pic?"
   • "your are naked?"
   • "is that your finger?"
   • "is that your cd?"
   • "is that your message?"
   • "is that your TAN?"
   • "is that your privacy?"
   • "is this information about you?"
   • "money?"
   • "did you know that?"
   • "bob the builder"
   • "are you cranky?"
   • "be mad?"
   • "you look like an rat?"
   • "you look like an ape!"
   • "let it!"
   • "incest?"
   • "you are sexy in this doc!"
   • "here is the $%%454$"
   • "great job!"
   • "do not give up!"
   • "is that your car?"
   • "it's so similar as yours!"
   • "this is nothing for kids!"
   • "it's a secret!"
   • "see this!"
   • "correct it!"
   • "i need you!"
   • ";-)"
   • "what?"
   • "trial?"
   • "doc?"
   • "< Automailer >"
   • "< Failed message available >"
   • "i don't want your xxx pics!"
   • "xxx about you?"
   • "a crazy doc about you"
   • "here is yours!"
   • "child or adult?"
   • "man or women?"
   • "great xxx!"
   • "< scanned by norton antivirus >"
   • "<Attached Msg >"
   • "< < < Failure > > >"
   • "i've found it about you"
   • "my advice...."
   • "personal message!"
   • "only encrypted!"
   • "< bad gateway >"
   • "how?"
   • "who?"
   • "what still?"
   • "copyright?"
   • "you cannot hide yourself! (see photo)"
   • "your account is expired!"
   • "xxx service"
   • "i saw you last week!"
   • "File is bad."
   • "File is damaged."
   • "File is self-decryting."
   • "your face?"
   • "your eyes?"
   • "your body?"
   • "the truth?"
   • "best?"
   • "i have received this."
   • "does it matter?"
   • "drugs? ..."
   • "forgotten?"
   • "already?"
   • "do you have the bug also?"
   • "do you think so?"
   • "is that your photo?"
   • "is that your creditcard?"
   • "is that your wife?"
   • "did you see her already?"
   • "attachi
   • "here is the next one!"
   • "i want more..."
   • "<?}"
   • "<09580985869gj>"
   • "<Warning from the Government>"
   • "schoolfriend?"
   • "docs?"
   • "pretty pic about you?"
   • "i don't think so."
   • "great!"
   • "excellent!"
   • "good work!"
   • "poor quality!"
   • "never!"
   • "wrong calculation! (see the attachment!)"
   • "did you know from this document?"
   • "something is not ok"
   • "something is going ..."
   • "is that possible?"
   • "your job? (I found that!)"
   • "you are bad"
   • "did you ask me for that?"
   • "you have tried to steal!"
   • "possible?"
   • "meaning of that?"
   • "you feel the same."
   • "is that your website?"
   • "is that your attachment?"
   • "you earn money, see the attachment!"
   • "your attachment? verify it."
   • "misc. and so on. see you!"
   • "yes."
   • "your personal record?"
   • "modifications?"
   • "i am desperate"
   • "your icq number?"
   • "thats wrong!"
   • "you are naked in this document!"
   • "why?"
   • "take it easy!"
   • "your TAN number?"
   • "important?"
   • "your design is not good!"
   • "msg"
   • "reply"
   • "is that the reality?"
   • "i am speachless about your document!"
   • "i lost that"
   • "instruct me about this!"
   • "do you have?"
   • "that's not the truth?"
   • "that's a funny text."
   • "what do you think about it?"
   • "i like your doc!"
   • "here, the cheats"
   • "is that criminal?"
   • "here, the introduction"
   • "are you a teacherin the picture?"
   • "here, the serials"
   • "love letter?"
   • "from your lover ;-)"
   • "from the chatter (my photo!)"
   • "kill him on the picture!"
   • "doc about me?"
   • "the information is wrong!"
   • "information about you?"
   • "your photo is poor"
   • "something is going wrong!"
   • "your document is not good"
   • "stuff about you?"
   • "xxx ?"
   • "greetings"
   • "child porn?"
   • "test it"
   • "another pic, have fun! ... :->"
   • "her."
   • "pages?"
   • "why should I?"
   • "this file is bad!"
   • "did you sent it to me?"
   • "i know your document!"
   • "do you know this????"
   • "really?"
   • "time to fear?"
   • "i found this document about you."
   • "does it match?"
   • "your name is wrong!"
   • "i hope thats not true!"
   • "old photos about you?"
   • "kill the writer of this document!"
   • "classroom test of you?"
   • "something about you!"
   • "you won the rk!"
   • "I have your password!"
   • "< Mail failed >"
   • "I don't know your document!"
   • "you are a bad writer"
   • "is that yours?"
   • "abuse?"
   • "I wait for an answer!"
   • "pwd?"
   • "is that your account?"
   • "message?"
   • "picture?"
   • "is that your name?"
   • "account?"
   • "is that true?"
   • "illegal st. of you?"
   • "here is it."
   • "yours?"
   • "your hero in the picture?"
   • "i found that about you!"
   • "read it immediately!"
   • "*lol*"
   • "here is the document."
   • "gonna?"
   • "read the details."
   • "such as yours?"
   • "i wait for your comment about it."
   • "that is interesting..."


Dateianhang:
Die Dateinamen der Anhänge wird aus folgenden zusammengesetzt:

   • aboutyou
   • associal
   • attach2
   • attachment
   • auction
   • bill
   • birth
   • card
   • class_photos
   • concert
   • creditcard
   • death
   • description
   • details
   • dinner
   • disco
   • doc
   • doc_ang
   • final
   • found
   • freaky
   • friend
   • image
   • incest
   • information
   • injection
   • intimate stuff
   • jokes
   • letter
   • location
   • mail2
   • mails
   • masturbation
   • material
   • message
   • misc
   • moonlight
   • more
   • msg2
   • music
   • myaunt
   • mydate
   • naked1
   • naked2
   • news
   • nomoney
   • note
   • nothing
   • number_phone
   • object
   • old_photos
   • part2
   • party
   • paypal
   • pic
   • portmoney
   • poster
   • posting
   • privacy
   • product
   • ranking
   • regards
   • regid
   • release
   • response
   • schock
   • secrets
   • sexual
   • sexy
   • shower
   • story
   • stuff
   • swimmingpool
   • talk
   • tear
   • textfile
   • topseller
   • transfer
   • trash
   • undefinied
   • unfolds
   • update
   • violence
   • visa
   • warez
   • webcam
   • website
   • wife
   • word_doc
   • worker
   • your_stuff
   • yours

    Die Dateierweiterung ist eine der folgenden:
   • .pif
   • .com
   • .scr
   • .exe
   • .zip

Der Dateianhang ist eine Kopie der Malware.

 Versand Suche nach Adressen:
Es durchsucht folgende Dateien nach Emailadressen:
   • .adb; .asp; .cgi; .dbx; .dhtm; .doc; .eml; .htm; .html; .msg; .oft;
      .php; .pl; .rtf; .sht; .shtm; .tbb; .txt; .uin; .vbs; .wab


Vermeidet Adressen:
Es werden keine Emails an Adressen verschickt, die eine der folgenden Zeichenketten enthalten:
   • abuse; antivi; aspersky; avp; cafee; fbi; f-pro; f-secur; icrosoft;
      itdefender; orman; orton; spam; ymantec


Kontaktiert DNS:
Schlägt die Anfrage mit dem Standard DNS fehl wird mit folgendem weitergemacht.
Es besitzt die Fähigkeit folgende DNS Server zu kontaktieren:
   • 212.44.160.8; 195.185.185.195; 151.189.13.35; 213.191.74.19;
      193.189.244.205; 145.253.2.171; 193.141.40.42; 194.25.2.134;
      194.25.2.133; 194.25.2.132; 194.25.2.131; 193.193.158.10;
      212.7.128.165; 212.7.128.162; 193.193.144.12; 217.5.97.137;
      195.20.224.234; 194.25.2.130; 194.25.2.129; 212.185.252.136;
      212.185.253.70; 212.185.252.73; 62.155.255.16

 P2P Um weitere Systeme im Peer to Peer Netzwerk zu infizieren wird folgendes unternommen:  


   Es wird nach Verzeichnissen gesucht welche folgende Zeichenkette enthalten:
   • shar

   War die Suche erfolgreich so werden folgende Dateien erstellt:
   • 1000 Sex and more.rtf.exe; 3D Studio Max 3dsmax.exe; ACDSee 9.exe;
      Adobe Photoshop 9 full.exe; Adobe Premiere 9.exe; Ahead Nero 7.exe;
      Best Matrix Screensaver.scr; Clone DVD 5.exe; Cracks & Warez
      Archive.exe; Dark Angels.pif; Dictionary English - France.doc.exe;
      DivX 7.0 final.exe; Doom 3 Beta.exe; E-Book Archive.rtf.exe; Full
      album.mp3.pif; Gimp 1.5 Full with Key.exe; How to hack.doc.exe; IE58.1
      full setup.exe; Keygen 4 all appz.exe; Learn Programming.doc.exe;
      Lightwave SE Update.exe; Magix Video Deluxe 4.exe; Microsoft Office
      2003 Crack.exe; Microsoft WinXP Crack.exe; MS Service Pack 5.exe;
      Norton Antivirus 2004.exe; Opera.exe; Partitionsmagic 9.0.exe; Porno
      Screensaver.scr; RFC Basics Full Edition.doc.exe; Screensaver.scr;
      Serials.txt.exe; Smashing the stack.rtf.exe; Star Office 8.exe; Teen
      Porn 16.jpg.pif; The Sims 3 crack.exe; Ulead Keygen.exe; Virii
      Sourcecode.scr; Visual Studio Net Crack.exe; Win Longhorn Beta.exe;
      WinAmp 12 full.exe; Windows Sourcecode.doc.exe; WinXP eBook.doc.exe;
      XXX hardcore pic.jpg.exe


 Diverses Mutex:
Es wird folgender Mutex erzeugt:
   • [SkyNet.cz]SystemsMutex


String:
Des Weiteren enthält es folgende Zeichenkette:
   • "<-<- we are the skynet - you can't hide yourself! - we kill malware writers (they have no chance!) - [LaMeRz-->]MyDoom.F is a thief of our idea! - -< SkyNet AV vs. Malware >- ->->"

 Datei Einzelheiten Programmiersprache:
 Das Malware-Programm wurde in MS Visual C++ geschrieben.


Laufzeitpacker:
Um eine Erkennung zu erschweren und die Größe der Datei zu reduzieren wurde sie mit folgendem Laufzeitpacker gepackt:
   • Petite

Die Beschreibung wurde erstellt von Irina Boldea am Montag, 29. August 2005
Die Beschreibung wurde geändert von Irina Boldea am Mittwoch, 31. August 2005

zurück . . . .