Name:Worm/Netsky.HB
Entdeckt am:10/09/2007
Art:Worm
In freier Wildbahn:Ja
Gemeldete Infektionen:Mittel bis hoch
Verbreitungspotenzial:Mittel bis hoch
Schadenspotenzial:Niedrig
Statische Datei:Nein
Dateigröße:~31.000 Bytes
VDF Version:6.39.1.107
IVDF Version:6.39.01.110 - Montag, 10. September 2007

 General Verbreitungsmethoden:
   • Email
   • Peer to Peer


Aliases:
   •  Mcafee: W32/Netsky.p@MM
   •  Kaspersky: Email-Worm.Win32.NetSky.q
   •  Grisoft: I-Worm/Netsky.Q
   •  VirusBuster: I-Worm.Netsky.P!Dam
   •  Eset: Win32/Netsky.Q
   •  Bitdefender: Win32.Netsky.P@mm


Betriebsysteme:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Auswirkungen:
   • Erstellt schädliche Dateien
   • Verfügt über eigene Email Engine
   • Änderung an der Registry

 Dateien Eine Kopie seiner selbst wird hier erzeugt:
   • %WINDIR%\FVProtect.exe



Es werden folgende Dateien erstellt:

– Es wird folgende Archivdatei mit der Kopie der Malware erstellt:
   • %WINDIR%\zipped.tmp

– MIME enkodierte Kopie seiner selbst:
   • %WINDIR%\zip1.tmp
   • %WINDIR%\zip2.tmp
   • %WINDIR%\zip3.tmp
   • %WINDIR%\base64.tmp

%WINDIR%\userconfig9x.dll Weitere Untersuchungen haben ergeben, dass diese Datei auch Malware ist. Erkannt als: WORM/Netsky.P.2

 Registry Der folgende Registryschlüssel wird hinzugefügt um den Prozess nach einem Neustart des Systems erneut zu starten.

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Norton Antivirus AV="%WINDIR%\FVProtect.exe"



Die Werte des folgenden Registry keys werden gelöscht:

–  [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Explorer
   • system
   • msgsvr32
   • winupd.exe
   • direct.exe
   • jijbl
   • Video
   • service
   • DELETE ME
   • Sentry
   • Taskmon
   • Windows Services Host

–  [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Explorer
   • au.exe
   • direct.exe
   • d3dupdate.exe
   • OLE
   • gouday.exe
   • rate.exe
   • Taskmon
   • Windows Services Host
   • sysmon.exe
   • srate.exe
   • ssate.exe
   • winupd.exe

–  [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

 Email Die Malware verfügt über eine eigene SMTP engine um Emails zu versenden. Hierbei wird die Verbindung mit dem Zielserver direkt aufgebaut. Die Einzelheiten sind im Folgenden aufgeführt:


Von:
Die Absenderadresse wurde gefälscht.
Generierte Adressen. Bitte vermuten Sie nicht, dass es des Absenders Absicht war diese Email zu schicken. Es ist möglich, dass er nichts über seine Infektion weiß oder sogar nicht infiziert ist. Des Weiteren ist es möglich, dass Sie Emails bekommen in denen die Rede davon ist, dass Sie infiziert sind was möglicherweise auch nicht stimmt.


An:
– Email Adressen welche in ausgewählten Dateien auf dem System gefunden wurden.
– Generierte Adressen


Betreff:
Eine der folgenden:
   • Administrator; approved letter; approved message; Congratulations!; Do
      you?; Does it matter?; Error; excel document; Fwd: Warning again;
      Hello; hi; I cannot forget you!; I love you!; Illegal Website;
      important; Important m$6h?3p; improved; Information; Internet Provider
      Abuse; Is that your password?; letter; Mail Account; Mail
      Authentication; Mail Delivery (failure); my application; my file; my
      text; my website; News; Notice again; Postcard; Private document;
      product; Protected Mail System; Re: A!p$ghsa; Re: Administration; Re:
      application; Re: approved; Re: approved application; Re: approved
      details; Re: Approved document; Re: approved letter; Re: Bad Request;
      Re: corrected; Re: data; Re: Delivery Protection; Re: Delivery Server;
      Re: details; Re: Developement; Re: Encrypted Mail; Re: Error; Re:
      Error in document; Re: excel document; Re: Extended Mail; Re: Extended
      Mail System; Re: Failure; Re: Free porn; Re: Hello; Re: here; Re: hi;
      Re: important; Re: important excel document; Re: important file; Re:
      important product; Re: important website; Re: important word document;
      Re: improved; Re: information; Re: Is that your document?; Re: Its me;
      Re: List; Re: Mail Authentification; Re: Mail Server; Re: Message; Re:
      Message Error; Re: my details; Re: Notify; Re: Old photos; Re: Old
      times; Re: Order; Re: patched; Re: Proof of concept; Re: Protected
      Mail Delivery; Re: Protected Mail System; Re: Question; Re: Re: bill;
      Re: Re: corrected; Re: Re: details; Re: Re: important; Re: Re:
      information; Re: Re: read it immediately; Re: Re: thanks!; Re: read it
      immediately; Re: Request; Re: Sample; Re: Secure delivery; Re: Secure
      SMTP Message; Re: Sex pictures; Re: SMTP Server; Re: Status; Re:
      Submit a Virus Sample; Re: Test; Re: text; Re: Thank you for delivery;
      Re: thanks!; Re: Virus Sample; Re: website; Re: your bill; Re: Your
      document; Re: your excel document; Re: your letter; Shocking document;
      Spam; Spamed?; Stolen document; thanks!; word document; You cannot do
      that!; Your day; %zufällige Buchstabenkombination%

Manchmal kann die Betreffzeile auch leer sein.


Body:
Der Body der Email ist einer der folgenden:

   • Please see the attached file for details
     Please read the attached file!
     Your document is attached.
     Please read the document.
     Your file is attached.
     Your document is attached.
     Please confirm the document.
     Please read the important document.
     See the file.
     Requested file.
     Authentication required.
     Your document is attached to this mail.
     I have attached your document.
     I have received your document. The corrected document is attached.
     Your document.
     Your details.
     Please confirm!
     Please answer quickly!
     Thank you for your request, your details are attached!
     Thanks!
     am shocked about your document!
     Let'us be short: you have no experience in writing letters!!!
     Try this, or nothing!
     Here is it!
     Do not visit this illegal websites!
     You have downloaded these illegal cracks?
     Here is my icq list.
     Here is my phone number.
     I have visited this website and I found you in the spammer list. Is that true?
     Are you a spammer? (I found your email on a spammer website!?!)
     po44u90ugjid-k9z5894z0
     9u049u89gh89fsdpokofkdpbm3-4i
     Please r564g!he4a56a3haafdogu mfn3o SMTP Error 201
     Server Error 203
     See the ghg5%&6gfz65!4Hf55d!46gfgf
     Your photo, uahhh.... , you are naked!
     You have written a very good text, excellent, good work!
     Your archive is attached.
     Monthly news report.
     lovely, :-)
     your big love, ;-)
     I hope you accept the result!
     The sample is attached!
     Your important document, correction is finished!
     Important message, do not show this anyone!
     Here is the website. ;-)
     My favourite page.
     I have corrected your document.
     I have attached the sample.
     Your bill is attached to this mail.
     You were registered to the pay system.
     For more details see the attachment.
     Binary message is available.
     Message has been sent as a binary attachment.
     Can you confirm it?
     I have attached it to this mail.
     Please read the attached file.
     Your document is attached.
     Encrypted message is available.
     Protected message is attached.
     Please confirm my request.
     ESMTP [Secure Mail System 334]: Secure message is attached.
     Partial message is available.
     Waiting for a Response. Please read the attachment.
     First part of the secure mail is available.
     For more details see the attachment.
     For further details see the attachment.
     Your requested mail has been attached.
     Protected Mail System Test.
     Secure Mail System Beta Test.
     Forwarded message is available.
     Delivered message is attached.
     Encrypted message is available.
     Please read the attachment to get the message.
     Follow the instructions to read the message.
     Please authenticate the secure message.
     Protected message is attached.
     Waiting for authentification.
     Protected message is available.
     Bad Gateway: The message has been attached.
     SMTP: Please confirm the attached message.
     You got a new message.
     Now a new message is available.
     New message is available.
     You have received an extended message. Please read the instructions.
     I noticed that you have visited illegal websites.
     I found this document about you. I cannot believe that.
     See the name in the list!
     You have visited illegal websites.I have a big list of the websites you surfed.
     Your mail account is expired. See the details to reactivate it.
     Your mail account has been closed. For further details see the document.
     The file is protected with the password ghj001.
     I have attached your file. Your password is jkl44563.
     The sample file you sent contains a new virus version of mydoom.j.
     Please clean your system with the attached signature.
     Sincerly,
     Robert Ferrew
     Greetings from france,
     your friend.
     Have a look at these.
     Best wishes,
     your friend.
     Congratulations!,
     your best friend.
     Try this game ;-)
     I hope the patch works.


Manchmal gefolgt von einer der folgenden:

   • +++ Attachment: No Virus found
     +++ MessageLabs AntiVirus - www.messagelabs.com
     
      +++ Attachment: No Virus found
      +++ Bitdefender AntiVirus - www.bitdefender.com
     
      +++ Attachment: No Virus found
      +++ MC-Afee AntiVirus - www.mcafee.com
     
      +++ Attachment: No Virus found
      +++ Kaspersky AntiVirus - www.kaspersky.com
     
      +++ Attachment: No Virus found
      +++ Panda AntiVirus - www.pandasoftware.com
     
      ++++ Attachment: No Virus found
      ++++ Norman AntiVirus - www.norman.com
     
      ++++ Attachment: No Virus found
      ++++ F-Secure AntiVirus - www.f-secure.com
     
      ++++ Attachment: No Virus found
      ++++ Norton AntiVirus - www.symantec


Dateianhang:
Der Dateiname des Anhangs ist einer der folgenden:
   • document_all
   • text
   • message
   • data
   • excel document
   • word document
   • bill
   • screensaver
   • application
   • website
   • product
   • letter
   • information
   • details
   • file
   • document
   • important
   • approved

   • .doc
   • .txt

    Die Dateierweiterung ist eine der folgenden:
   • exe
   • pif
   • scr
   • zip

Der Dateianhang ist eine Kopie der Malware.



Die Email sieht wie folgt aus:


 Versand Suche nach Adressen:
Es durchsucht folgende Dateien nach Emailadressen:
   • .php; .asp; .wab; .doc; .vbs; .txt; .rtf; .uin; .shtm; .cgi; .eml;
      .dhtm; .pl; .adb; .tbb; .dbx; .sht; .oft; .msg; .htm; .html; .jsp;
      .wsh; .xml


Vermeidet Adressen:
Es werden keine Emails an Adressen verschickt, die eine der folgenden Zeichenketten enthalten:
   • @antivi; @avp; @bitdefender; @fbi; @f-pro; @freeav; @f-secur;
      @kaspersky; @mcafee; @messagel; @microsof; @norman; @norton;
      @pandasof; @skynet; @sophos; @spam; @symantec; @viruslis; abuse@;
      noreply@; ntivir; reports@; spam@

 P2P Um weitere Systeme im Peer to Peer Netzwerk zu infizieren wird folgendes unternommen:   Es wird nach folgenden freigegebenen Standardverzeichnissen gesucht:
   • bear
   • donkey
   • download
   • ftp
   • htdocs
   • http
   • icq
   • kazaa
   • lime
   • morpheus
   • mule
   • my shared folder
   • shar
   • shared files
   • upload

   War die Suche erfolgreich so werden folgende Dateien erstellt:
   • Kazaa Lite 4.0 new.exe; Britney Spears Sexy archive.doc.exe; Kazaa
      new.exe; Britney Spears porn.jpg.exe; Harry Potter all e.book.doc.exe;
      Britney sex xxx.jpg.exe; Harry Potter 1-6 book.txt.exe; Britney Spears
      blowjob.jpg.exe; Harry Potter e book.doc.exe; Britney Spears
      cumshot.jpg.exe; Harry Potter.doc.exe; Britney Spears fuck.jpg.exe;
      Harry Potter game.exe; Britney Spears.jpg.exe; Harry Potter 5.mpg.exe;
      Britney Spears and Eminem porn.jpg.exe; Matrix.mpg.exe; Britney Spears
      Song text archive.doc.exe; Britney Spears full album.mp3.exe;
      Eminem.mp3.exe; Britney Spears.mp3.exe; Eminem Song text
      archive.doc.exe; Eminem Sexy archive.doc.exe; Eminem full
      album.mp3.exe; Eminem Spears porn.jpg.exe; Ringtones.mp3.exe; Eminem
      sex xxx.jpg.exe; Ringtones.doc.exe; Eminem blowjob.jpg.exe; Altkins
      Diet.doc.exe; Eminem Poster.jpg.exe; American Idol.doc.exe;
      Cloning.doc.exe; Saddam Hussein.jpg.exe; Arnold
      Schwarzenegger.jpg.exe; Windows 2003 crack.exe; Windows XP crack.exe;
      Adobe Photoshop 10 crack.exe; Microsoft WinXP Crack full.exe; Teen
      Porn 15.jpg.pif; Adobe Premiere 10.exe; Adobe Photoshop 10 full.exe;
      Best Matrix Screensaver new.scr; Porno Screensaver britney.scr; Dark
      Angels new.pif; XXX hardcore pics.jpg.exe; Microsoft Office 2003 Crack
      best.exe; Serials edition.txt.exe; Screensaver2.scr; Full album
      all.mp3.pif; Ahead Nero 8.exe; netsky source code.scr; E-Book
      Archive2.rtf.exe; Doom 3 release 2.exe; How to hack new.doc.exe; Learn
      Programming 2004.doc.exe; WinXP eBook newest.doc.exe; Win Longhorn
      re.exe; Dictionary English 2004 - France.doc.exe; RFC
      compilation.doc.exe; 1001 Sex and more.rtf.exe; 3D Studio Max 6
      3dsmax.exe; Keygen 4 all new.exe; Windows 2000 Sourcecode.doc.exe;
      Norton Antivirus 2005 beta.exe; Gimp 1.8 Full with Key.exe;
      Partitionsmagic 10 beta.exe; Star Office 9.exe; Magix Video Deluxe 5
      beta.exe; Clone DVD 6.exe; MS Service Pack 6.exe; ACDSee 10.exe;
      Visual Studio Net Crack all.exe; Cracks & Warez Archiv.exe; WinAmp 13
      full.exe; DivX 8.0 final.exe; Opera 11.exe; Internet Explorer 9
      setup.exe; Smashing the stack full.rtf.exe; Ulead Keygen 2004.exe;
      Lightwave 9 Update.exe; The Sims 4 beta.exe


 Diverses Mutex:
Es wird folgender Mutex erzeugt:
   • -oO]xX|-S-k-y-N-e-t-|Xx[Oo-_


Es werden einer der folgenden Mutexe erzeugt:
   • U'l't'i'm'a't'i'v'e 'E'n'c'r'y'p't'e'd 'W'o'r'm'D'r'o'p'p'e'r' 'b'y 'S'k'y'N'e't'.'C'Z' 'C'o'r'p*'
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • 'S'k'y'N'e't'F'i'g'h't's'B'a'c'k

 Datei Einzelheiten Programmiersprache:
 Das Malware-Programm wurde in MS Visual C++ geschrieben.


Laufzeitpacker:
Um eine Erkennung zu erschweren und die Größe der Datei zu reduzieren wurde sie mit folgendem Laufzeitpacker gepackt:
   • FSG

Die Beschreibung wurde erstellt von Ana Maria Niculescu am Donnerstag, 25. Oktober 2007
Die Beschreibung wurde geändert von Ana Maria Niculescu am Donnerstag, 25. Oktober 2007

zurück . . . .