Description complète

Nom:	Worm/Netsky.HB
La date de la découverte:	10/09/2007
Type:	Ver
En circulation:	Oui
Infections signalées	Moyen à élevé
Potentiel de distribution:	Moyen à élevé
Potentiel de destruction:	Faible
Fichier statique:	Non
Taille du fichier:	~31.000 Octets
Version VDF:	6.39.1.107
Version IVDF:	6.39.01.110 - lundi 10 septembre 2007

Général Méthodes de propagation:
   • Email
   • Peer to Peer

Les alias:
   • Mcafee: W32/Netsky.p@MM
   • Kaspersky: Email-Worm.Win32.NetSky.q
   • Grisoft: I-Worm/Netsky.Q
   • VirusBuster: I-Worm.Netsky.P!Dam
   • Eset: Win32/Netsky.Q
   • Bitdefender: Win32.Netsky.P@mm

Plateformes / Systèmes d'exploitation:
   • Windows 96
   • Windows 99
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Effets secondaires:
   • Il crée des fichiers malveillants
   • Il emploie son propre moteur de courrier électronique
   • Il modifie des registres

Fichiers Il s'autocopie dans l'emplacement suivant:
   • %WINDIR%\FVProtect.exe

Les fichiers suivants sont créés:

– Il crée le fichier compressé suivant contenant une copie du malware:
   • %WINDIR%\zipped.tmp

– Fichiers codés MIME contenant ses propres copies:
   • %WINDIR%\zip1.tmp
   • %WINDIR%\zip2.tmp
   • %WINDIR%\zip3.tmp
   • %WINDIR%\base64.tmp

– %WINDIR%\userconfig9x.dll Les investigations ultérieures ont prouvé que ce ficher est également un Malware. Détecté comme: WORM/Netsky.P.2

Registre La clé de registre suivante est ajoutée afin de lancer le processus après le redémarrage:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Norton Antivirus AV="%WINDIR%\FVProtect.exe"

Les valeurs de la clé de registre suivante sont supprimées:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Explorer
   • system
   • msgsvr32
   • winupd.exe
   • direct.exe
   • jijbl
   • Video
   • service
   • DELETE ME
   • Sentry
   • Taskmon
   • Windows Services Host

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • Explorer
   • au.exe
   • direct.exe
   • d3dupdate.exe
   • OLE
   • gouday.exe
   • rate.exe
   • Taskmon
   • Windows Services Host
   • sysmon.exe
   • srate.exe
   • ssate.exe
   • winupd.exe

– [HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

Email Il contient un moteur SMTP intégré pour envoyer des emails. Une connexion directe avec le serveur destination sera établie. Les caractéristiques sont décrites ci-dessous:

De:
L'adresse de l'expéditeur est falsifiée.
Adresses générées. Ne pas supposer pas que c'était l'intention de l'expéditeur de vous envoyer cet email. Il est possible qu'il ne sache pas qu'il est infecté ou il est possible qu'il ne soit pas du tout infecté. En outre, il est possible que vous receviez des emails en retour vous signifiant que vous êtes infecté. Ceci pourrait également ne pas être le cas.

A:
– Les adresses email trouvés dans des fichiers spécifiques du système.
– Les adresses créées

Sujet:
Un des suivants:
   • Administrator; approved letter; approved message; Congratulations!; Do
      you?; Does it matter?; Error; excel document; Fwd: Warning again;
      Hello; hi; I cannot forget you!; I love you!; Illegal Website;
      important; Important m$6h?3p; improved; Information; Internet Provider
      Abuse; Is that your password?; letter; Mail Account; Mail
      Authentication; Mail Delivery (failure); my application; my file; my
      text; my website; News; Notice again; Postcard; Private document;
      product; Protected Mail System; Re: A!p$ghsa; Re: Administration; Re:
      application; Re: approved; Re: approved application; Re: approved
      details; Re: Approved document; Re: approved letter; Re: Bad Request;
      Re: corrected; Re: data; Re: Delivery Protection; Re: Delivery Server;
      Re: details; Re: Developement; Re: Encrypted Mail; Re: Error; Re:
      Error in document; Re: excel document; Re: Extended Mail; Re: Extended
      Mail System; Re: Failure; Re: Free porn; Re: Hello; Re: here; Re: hi;
      Re: important; Re: important excel document; Re: important file; Re:
      important product; Re: important website; Re: important word document;
      Re: improved; Re: information; Re: Is that your document?; Re: Its me;
      Re: List; Re: Mail Authentification; Re: Mail Server; Re: Message; Re:
      Message Error; Re: my details; Re: Notify; Re: Old photos; Re: Old
      times; Re: Order; Re: patched; Re: Proof of concept; Re: Protected
      Mail Delivery; Re: Protected Mail System; Re: Question; Re: Re: bill;
      Re: Re: corrected; Re: Re: details; Re: Re: important; Re: Re:
      information; Re: Re: read it immediately; Re: Re: thanks!; Re: read it
      immediately; Re: Request; Re: Sample; Re: Secure delivery; Re: Secure
      SMTP Message; Re: Sex pictures; Re: SMTP Server; Re: Status; Re:
      Submit a Virus Sample; Re: Test; Re: text; Re: Thank you for delivery;
      Re: thanks!; Re: Virus Sample; Re: website; Re: your bill; Re: Your
      document; Re: your excel document; Re: your letter; Shocking document;
      Spam; Spamed?; Stolen document; thanks!; word document; You cannot do
      that!; Your day; %chaîne de caractères aléatoire%

Dans certains cas, le sujet pourrait également être vide.

Corps:
Le corps de l'email est un des suivants:

   • Please see the attached file for details
     Please read the attached file!
     Your document is attached.
     Please read the document.
     Your file is attached.
     Your document is attached.
     Please confirm the document.
     Please read the important document.
     See the file.
     Requested file.
     Authentication required.
     Your document is attached to this mail.
     I have attached your document.
     I have received your document. The corrected document is attached.
     Your document.
     Your details.
     Please confirm!
     Please answer quickly!
     Thank you for your request, your details are attached!
     Thanks!
     am shocked about your document!
     Let'us be short: you have no experience in writing letters!!!
     Try this, or nothing!
     Here is it!
     Do not visit this illegal websites!
     You have downloaded these illegal cracks?
     Here is my icq list.
     Here is my phone number.
     I have visited this website and I found you in the spammer list. Is that true?
     Are you a spammer? (I found your email on a spammer website!?!)
     po44u90ugjid-k9z5894z0
     9u049u89gh89fsdpokofkdpbm3-4i
     Please r564g!he4a56a3haafdogu mfn3o SMTP Error 201
     Server Error 203
     See the ghg5%&6gfz65!4Hf55d!46gfgf
     Your photo, uahhh.... , you are naked!
     You have written a very good text, excellent, good work!
     Your archive is attached.
     Monthly news report.
     lovely, :-)
     your big love, ;-)
     I hope you accept the result!
     The sample is attached!
     Your important document, correction is finished!
     Important message, do not show this anyone!
     Here is the website. ;-)
     My favourite page.
     I have corrected your document.
     I have attached the sample.
     Your bill is attached to this mail.
     You were registered to the pay system.
     For more details see the attachment.
     Binary message is available.
     Message has been sent as a binary attachment.
     Can you confirm it?
     I have attached it to this mail.
     Please read the attached file.
     Your document is attached.
     Encrypted message is available.
     Protected message is attached.
     Please confirm my request.
     ESMTP [Secure Mail System 334]: Secure message is attached.
     Partial message is available.
     Waiting for a Response. Please read the attachment.
     First part of the secure mail is available.
     For more details see the attachment.
     For further details see the attachment.
     Your requested mail has been attached.
     Protected Mail System Test.
     Secure Mail System Beta Test.
     Forwarded message is available.
     Delivered message is attached.
     Encrypted message is available.
     Please read the attachment to get the message.
     Follow the instructions to read the message.
     Please authenticate the secure message.
     Protected message is attached.
     Waiting for authentification.
     Protected message is available.
     Bad Gateway: The message has been attached.
     SMTP: Please confirm the attached message.
     You got a new message.
     Now a new message is available.
     New message is available.
     You have received an extended message. Please read the instructions.
     I noticed that you have visited illegal websites.
     I found this document about you. I cannot believe that.
     See the name in the list!
     You have visited illegal websites.I have a big list of the websites you surfed.
     Your mail account is expired. See the details to reactivate it.
     Your mail account has been closed. For further details see the document.
     The file is protected with the password ghj001.
     I have attached your file. Your password is jkl44563.
     The sample file you sent contains a new virus version of mydoom.j.
     Please clean your system with the attached signature.
     Sincerly,
     Robert Ferrew
     Greetings from france,
     your friend.
     Have a look at these.
     Best wishes,
     your friend.
     Congratulations!,
     your best friend.
     Try this game ;-)
     I hope the patch works.

Parfois continué par un des suivantes:

   • +++ Attachment: No Virus found
     +++ MessageLabs AntiVirus - www.messagelabs.com

      +++ Attachment: No Virus found
      +++ Bitdefender AntiVirus - www.bitdefender.com

      +++ Attachment: No Virus found
      +++ MC-Afee AntiVirus - www.mcafee.com

      +++ Attachment: No Virus found
      +++ Kaspersky AntiVirus - www.kaspersky.com

      +++ Attachment: No Virus found
      +++ Panda AntiVirus - www.pandasoftware.com

      ++++ Attachment: No Virus found
      ++++ Norman AntiVirus - www.norman.com

      ++++ Attachment: No Virus found
      ++++ F-Secure AntiVirus - www.f-secure.com

      ++++ Attachment: No Virus found
      ++++ Norton AntiVirus - www.symantec

Pièce jointe:
Le nom de fichier de l'attachement est un des suivants:
   • document_all
   • text
   • message
   • data
   • excel document
   • word document
   • bill
   • screensaver
   • application
   • website
   • product
   • letter
   • information
   • details
   • file
   • document
   • important
   • approved

   • .doc
   • .txt

    L'extension du fichier est une des suivantes:
   • exe
   • pif
   • scr
   • zip

L'attachement est une copie du malware lui-même.

L'email ressemble à celui-ci:

Envoie de messages Recherche des adresses:
Il cherche les fichiers suivants pour des adresses email:
   • .php; .asp; .wab; .doc; .vbs; .txt; .rtf; .uin; .shtm; .cgi; .eml;
      .dhtm; .pl; .adb; .tbb; .dbx; .sht; .oft; .msg; .htm; .html; .jsp;
      .wsh; .xml

Éviter les adresses:
Il n'envoie pas des emails aux adresses contenant une des chaînes de caractères suivantes:
   • @antivi; @avp; @bitdefender; @fbi; @f-pro; @freeav; @f-secur;
      @kaspersky; @mcafee; @messagel; @microsof; @norman; @norton;
      @pandasof; @skynet; @sophos; @spam; @symantec; @viruslis; abuse@;
      noreply@; ntivir; reports@; spam@

P2P Afin d'infecter d'autres systèmes d'exploitation dans la communauté en réseau peer-to-peer, l'action suivante est entreprise:   Il cherche les partages réseau standards suivants:
   • bear
   • donkey
   • download
   • ftp
   • htdocs
   • http
   • icq
   • kazaa
   • lime
   • morpheus
   • mule
   • my shared folder
   • shar
   • shared files
   • upload

   En cas de succès, les fichiers suivants sont créés:
   • Kazaa Lite 4.0 new.exe; Britney Spears Sexy archive.doc.exe; Kazaa
      new.exe; Britney Spears porn.jpg.exe; Harry Potter all e.book.doc.exe;
      Britney sex xxx.jpg.exe; Harry Potter 1-6 book.txt.exe; Britney Spears
      blowjob.jpg.exe; Harry Potter e book.doc.exe; Britney Spears
      cumshot.jpg.exe; Harry Potter.doc.exe; Britney Spears fuck.jpg.exe;
      Harry Potter game.exe; Britney Spears.jpg.exe; Harry Potter 5.mpg.exe;
      Britney Spears and Eminem porn.jpg.exe; Matrix.mpg.exe; Britney Spears
      Song text archive.doc.exe; Britney Spears full album.mp3.exe;
      Eminem.mp3.exe; Britney Spears.mp3.exe; Eminem Song text
      archive.doc.exe; Eminem Sexy archive.doc.exe; Eminem full
      album.mp3.exe; Eminem Spears porn.jpg.exe; Ringtones.mp3.exe; Eminem
      sex xxx.jpg.exe; Ringtones.doc.exe; Eminem blowjob.jpg.exe; Altkins
      Diet.doc.exe; Eminem Poster.jpg.exe; American Idol.doc.exe;
      Cloning.doc.exe; Saddam Hussein.jpg.exe; Arnold
      Schwarzenegger.jpg.exe; Windows 2003 crack.exe; Windows XP crack.exe;
      Adobe Photoshop 10 crack.exe; Microsoft WinXP Crack full.exe; Teen
      Porn 15.jpg.pif; Adobe Premiere 10.exe; Adobe Photoshop 10 full.exe;
      Best Matrix Screensaver new.scr; Porno Screensaver britney.scr; Dark
      Angels new.pif; XXX hardcore pics.jpg.exe; Microsoft Office 2003 Crack
      best.exe; Serials edition.txt.exe; Screensaver2.scr; Full album
      all.mp3.pif; Ahead Nero 8.exe; netsky source code.scr; E-Book
      Archive2.rtf.exe; Doom 3 release 2.exe; How to hack new.doc.exe; Learn
      Programming 2004.doc.exe; WinXP eBook newest.doc.exe; Win Longhorn
      re.exe; Dictionary English 2004 - France.doc.exe; RFC
      compilation.doc.exe; 1001 Sex and more.rtf.exe; 3D Studio Max 6
      3dsmax.exe; Keygen 4 all new.exe; Windows 2000 Sourcecode.doc.exe;
      Norton Antivirus 2005 beta.exe; Gimp 1.8 Full with Key.exe;
      Partitionsmagic 10 beta.exe; Star Office 9.exe; Magix Video Deluxe 5
      beta.exe; Clone DVD 6.exe; MS Service Pack 6.exe; ACDSee 10.exe;
      Visual Studio Net Crack all.exe; Cracks & Warez Archiv.exe; WinAmp 13
      full.exe; DivX 8.0 final.exe; Opera 11.exe; Internet Explorer 9
      setup.exe; Smashing the stack full.rtf.exe; Ulead Keygen 2004.exe;
      Lightwave 9 Update.exe; The Sims 4 beta.exe

Informations divers Mutex:
Il crée le Mutex suivant:
   • -oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

Il crée un des Mutex suivants:
   • U'l't'i'm'a't'i'v'e 'E'n'c'r'y'p't'e'd 'W'o'r'm'D'r'o'p'p'e'r' 'b'y 'S'k'y'N'e't'.'C'Z' 'C'o'r'p*'
   • 'D'r'o'p'p'e'd'S'k'y'N'e't'
   • 'S'k'y'N'e't'F'i'g'h't's'B'a'c'k

Détails de fichier Langage de programmation:
Le fichier a été écrit en MS Visual C++.

Logiciel de compression des fichiers exécutables:
Pour entraver la détection et pour réduire la taille du fichier il est compressé avec le logiciel de compression des exécutables suivant:
• FSG

Description insérée par Ana Maria Niculescu le jeudi 25 octobre 2007
Description mise à jour par Ana Maria Niculescu le jeudi 25 octobre 2007

Retour . . . .