*** warning - new virus alert ***

  1. dub
    31,098 Posts.
    lightbulb Created with Sketch. 252
    Hi,

    I've just received the following advice by email -

    .........................................................


    Dear Customer,

    Capital Security Solutions and Norman have issued a warning regarding a new rapidly spreading Internet mass-mailing worm named NetSky.B. The W32/EmailWorm was first detected by Norman's SandBox technology. This is a mass-mailing worm spreading through SMTP. Reports of the worm are so far from customers located in Norway and Benelux.
    Please refer to www.capitalsolutions.com.au and click on the NetSky.B for more information.

    The worm is at present set to Medium risk.

    .........................................................

    W32/[email protected] Explanation of the different characteristics used below.

    General characteristics
    Type: Worm
    Spreading mechanism: Email, network, other
    Email characteristics:
    Subject: Variable
    Body:
    Variable
    Attachment: Variable
    Destructivity: None
    Detected by virus detection files published: 18 FEB 2004
    Virus characteristics first published: 18 Feb 2004 00:00 (CET)
    Virus characteristics latest update: 18 Feb 2004 20:58 (CET)
    Additional description of malicious program
    Type
    This is an email worm; file size 22016. The file is compressed using UPX.

    Spreading mechanism
    When the worm is first run, it will install a mutex "AdmSkynetJklS003" to avoid being loaded twice. It will also show a messagebox saying "The file could not be opened!"

    It copies itself to the Windows directory using the name SERVICES.EXE, and adds a run key in registry so that it is started from bootup.

    Registry keys created:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run service = [WINDIR]\services.exe -serv

    Registry keys deleted:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskmon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Taskmon
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run Explorer
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run Explorer
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run KasperskyAv
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run System.
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices System.
    HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

    The worm sets up a thread that scans all drives C: to Z: (except CD-ROM drives) for folders that contain the string "share" or "sharing". If such a folder is found the worm copies itself there using many different file names (WL6). Such a folder will often be a P2P share folder, and thus the worm is distrubuted by common P2P software like Kazaa and IMesh as well.

    This thread also examines files of types .txt, .php, .pl, .htm, .html, .vbs, .rtf, .uin, .asp, .wab, .doc, .adb, .tbb, .dbx, .sht, .oftand .msg for email addresses to use when sending mail.

    Mails and attachment names are composed from word lists.

    The composition algorithm is as follows:
    6/11 chance : The attachment is a ZIP file, name [WL1].ZIP. The file in the ZIP is named like this:
    23/33 chance : [WL1][WL2][WL3]
    10/33 chance : [WL1][WL3]

    5/11 chance : The attachment is an executable file, unzipped. This is named like this:
    7/13 chance : [WL1][WL2][WL3]
    6/13 chance : [WL1][WL3]

    Examples of possible attachment names:
    message.zip (containing message.htm.scr)
    swimmingpool.pif
    concert.rtf.exe


    WL1: First element of attachment file name (40)
    document
    msg
    doc
    talk
    message
    creditcard
    details
    attachment
    me
    stuff
    posting
    textfile
    concert
    information
    note
    bill
    swimmingpool
    product
    topseller
    ps
    shower
    aboutyou
    nomoney
    found
    story
    mails
    website
    friend
    jokes
    location
    final
    release
    dinner
    ranking
    object
    mail2
    part2
    disco
    party
    misc

    WL2: Second element of file name (optional)(4)
    .txt
    .rtf
    .doc
    .htm

    WL3: Third element of file name (4)
    .exe
    .scr
    .com
    .pif

    WL4: Email subjects (9)
    hi
    hello
    read it immediately
    something for you
    warning
    information
    stolen
    fake
    unknown

    WL5: Possble email body texts (47)
    anything ok?
    what does it mean?
    ok
    i'm waiting
    read the details.
    here is the document.
    read it immediately!
    my hero
    here
    is that true?
    is that your name?
    is that your account?
    i wait for a reply!
    is that from you?
    you are a bad writer
    I have your password!
    something about you!
    kill the writer of this document!
    i hope it is not true!
    your name is wrong
    i found this document about you
    yes, really?
    that is bad
    here it is
    see you
    greetings
    stuff about you?
    something is going wrong!
    information about you
    about me
    from the chatter
    here, the serials
    here, the introduction
    here, the cheats
    that's funny
    do you?
    reply
    take it easy
    why?
    thats wrong
    misc
    you earn money
    you feel the same
    you try to steal
    you are bad
    something is going wrong
    something is fool

    WL6: File names used when copying to P2P share folders
    winxp_crack.exe
    dolly_buster.jpg.pif
    strippoker.exe
    photoshop 9 crack.exe
    matrix.scr
    porno.scr
    angels.pif
    hardcore porn.jpg.exe
    office_crack.exe
    serial.txt.exe
    cool screensaver.scr
    eminem - lick my pussy.mp3.pif
    nero.7.exe
    virii.scr
    e-book.archive.doc.exe
    max payne 2.crack.exe
    how to hack.doc.exe
    programming basics.doc.exe
    e.book.doc.exe
    win longhorn.doc.exe
    dictionary.doc.exe
    rfc compilation.doc.exe
    sex sex sex sex.doc.exe
    doom2.doc.pif


    Further comments
    The worm contains the string
    "#n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!"


    Write-up by Snorre Fagerland

    ...................................................................

    bye.dub
 
arrow-down-2 Created with Sketch. arrow-down-2 Created with Sketch.