W32/Netsky.c@MM





	W32/Netsky.c@MM Adatlap Felfedezés időpontja: 2004. 02. 25. Eredet: Ismeretlen Hossz: 25353, 28160 bájt Típus: Internet programféreg Altípus: e-mail programféreg Szükséges adatbázis: 4328 Szükséges keresőmotor: 4.2.40 Előfordulás valószínűsége Vállalati környezet: Közepes Otthoni felhasználók: Közepes Tulajdonságok A programféreg tömeges levelezéssel terjed, minden címre, amelyet a fertőzött számítógépen talált, továbbküldi magát. Ezenkívül képes a belső hálózati megosztásokon keresztül is terjedni, bemásolja magát minden csatlakoztatott hálózati megosztott könyvtárba. A vírus bemásolja magát a %WinDir% (pl. C:\WINDOWS) könyvtárba WINLOGON.EXE néven. C:\WINNT\WINLOGON.EXE (25,353 bytes) A vírus a következő Registry bejegyzést hozza létre minek hatására minden rendszerindítéskor lefut. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "ICQ Net" = %WinDir%\WINLOGON.EXE -stealth Terjedés email-en keresztül From: (hamisított cím) Subject: / Body : (a következőlistában találhatók) <...> lol ;-) <09580985869gj> a crazy doc about you abuse? account? already? another pic, have fun! ... :-> Antispam is turned off. See file! are you a photographer? are you a teacherin the picture? are you cranky? are you the naked one? are you the naked person! are you the one? attachi# Authentification required. Read the attachment! be mad? believe me best? bob the builder child or adult? child porn? classroom test of you? copyright? correct it! dear Delivery Failed denied! did you ask me for that? did you know from this document? did you know that? did you see her already? did you sent it to me? do not give up! do not open the attachment! do not show this anyone! do not use my document! do not use this creditcard! do not visit the pages on the list I sent! do you have an orgasm in the picture? do you have sex in the picture? do you have the bug also? do you have? do you know the thief? do you know this???? do you think so? doc about me? doc? docs? does it belong to you? does it match? does it matter? drugs? ... error excellent! exception excuse me explain! fake? fast food... feel free to use it. File is bad. File is damaged. File is self-decryting. forgotten? from the chatter (my photo!) from your lover ;-) gonna? good morning good work! great job! great xxx! great! greetings hello help attached her. here is it. Here is it here is my advice. here is my photo! here is the $%%454$ here is the here is the document. here is the next one! here is yours! here, the cheats here, the introduction here, the serials hey hi how? i am desperate i am speachless about your document! I don't know your document! i don't think so. i don't want your xxx pics! i found that about you! i found this document about you. i have received this. I have your password! i hope thats not true! i know your document! i like your doc! i lost that i need you! i saw you last week! I 've found your bill! I wait for an answer! i wait for your comment about it. i want more... illegal st. of you? illegal... I'm back! important? important in your mind? incest? info information about you? instruct me about this! is that criminal? is that possible? is that the reality? is that true? is that your account? is that your attachment? is that your beast? is that your car? is that your cd? is that your creditcard? is that your domain? is that your family? is that your finger? is that your message? is that your name? is that your photo? is that your porn pic? is that your privacy? is that your slip? is that your TAN? is that your website? is that your wife? is that your work? is that yours? is the pic a fake? is this information about you? it's a secret! its me its private from me it's so similar as yours! i've found it about you kill him on the picture! kill the writer of this document! last chance! let it! lets talk about it! Login required! Read the attachment! lol love letter? man or women? meaning of that? message? Microsoft misc. and so on. see you! modifications? moin money? msg my advice.... never! new patch is available! notice! notification oh ok... old photos about you? only encrypted! pages? personal message! picture? poor quality! possible? pretty pic about you? private? pwd? Question question Re: <5664ddff?$??§2> Re: does it? Re: excuse me Re: hello Re: hey Re: hi Re: important Re: information Re: Re: Re: Re: Re: unknown re: read it immediatelly read it immediately! read the details. really? reply report schoolfriend? see this! see your name! solve the problem! something about you! something for you something is going ... something is going wrong! something is not ok Status stolen stuff about you? such as yours? take it easy! take it tell me more about your document! test it that is interesting... that's a funny text. that's not the truth? thats wrong! the information is wrong! the truth? this file is bad! this is an attachment message! this is nothing for kids! time to fear? Transaction failed. Show the doc! trial? trust me try this patch! warning what do you think about it? what means that? what still? what? what's up? who? why should I? why? wrong calculation! (see the attachment!) xxx ? xxx about you? xxx service Yep yes. you are a bad writer you are bad You are infected. Read the details! you are naked in this document! you are sexy in this doc! you cannot hide yourself! (see photo) you earn money, see the attachment! you feel the same. you have a sexy body in the pic! you have done a mistake in the document! you have tried to steal! you look like an ape! you look like an rat? you won the rk! you? your account is expired! your are naked? your attachment? verify it. Your bill. your body? your design is not good! your document is not good your document is silly! your eyes? your face? your hero in the picture? your icq number? your job? (I found that!) your lie is going around the world! your name is wrong! your personal record? your photo is poor Your provider will be disabled! your TAN number? yours? Csatolt állomány: A csatolt álomány lehet ZIP (mely tartalmazza a vírust) vagy pedig egyszeres vagy többszörös kiterjesztésű EXE állomány. Az állományok nevei a következőek lehetnek. 454543403 aboutyou associal attach2 auction transfer bill birth card concert moonlight death details description creditcard dinner disco doc yours doc_ang jokes document final found freaky image incest information sexy injection intimate stuff letter location mail2 mails masturbation material me message talk msg2 music myaunt mydate naked1 naked2 news nomoney note nothing misc number_phone object old_photos part2 party paypal pic attachment portmoney posting poster privacy id product class_photos ps ranking regards website more regid release response schock secrets sexual shower story stuff swimmingpool tear textfile topseller trash undefinied unfolds friend update violence visa warez webcam wife word_doc worker your_stuff Az első kiterjesztés lehet: .doc .htm .rtf .text Az lehetséges utolsó kiterjesztések: .com .exe .pif .scr A programféreg levelező komponense az alábbi állományokból gyűjti a címeket: .adb .asp .cgi .dbx .dhtm .doc .eml .htm .oft .php .pl .rtf .sht .shtm .msg .tbb .txt .uin .vbs .wab A vírus saját SMTP motorral rendelkezik melynek segítségével továbbítja magát. Lekérdezi a DNS szerver MX rekordját és közvetlenül kapcsolódik az MTA-hoz a cél domain elérése és az üzenet továbbítása érdekében. Terjedés hálózati megosztásokon keresztül A programféreg bemásolja magát a lokális könyvtárakba, valamint a csatlakoztatott hálózati meghajtókra. Az állománynevek az alábbiak közül kerülhetnek ki: 1000 Sex and more.rtf.exe 3D Studio Max 3dsmax.exe Adobe Photoshop 9 full.exe Adobe Premiere 9.exe Ahead Nero 7.exe Best Matrix Screensaver.scr Clone DVD 5.exe Magix Video Deluxe 4.exe Cracks & Warez Archive.exe Dark Angels.pif Dictionary English - France.doc.exe DivX 7.0 final.exe E-Book Archive.rtf.exe Full album.mp3.pif Gimp 1.5 Full with Key.exe How to hack.doc.exe Doom 3 Beta.exe IE58.1 full setup.exe Keygen 4 all appz.exe Lightwave SE Update.exe MS Service Pack 5.exe Microsoft Office 2003 Crack.exe Microsoft WinXP Crack.exe Norton Antivirus 2004.exe Opera.exe Partitionsmagic 9.0.exe Porno Screensaver.scr RFC Basics Full Edition.doc.exe Screensaver.scr Serials.txt.exe Smashing the stack.rtf.exe Star Office 8.exe Teen Porn 16.jpg.pif The Sims 3 crack.exe Ulead Keygen.exe Virii Sourcecode.scr Visual Studio Net Crack.exe ACDSee 9.exe Win Longhorn Beta.exe WinAmp 12 full.exe WinXP eBook.doc.exe Learn Programming.doc.exe Windows Sourcecode.doc.exe XXX hardcore pic.jpg.exe Eltávolítási utasítások A vírus eltávolítható a Registry bejegyzés eltávolításával hasonlóan a mostanában felbukkant más vírusokhoz. (W32/Netsky.a@MM, W32/Netsky.b@MM, W32/Mydoom.a@MM, W32/Mydoom.b@MM, W32/Mimail.t@MM). A következő értékek törlendők a CurrentVersion\Run CurrentVersion\RunServices bejegyzésből: Sentry OLE service au.exe d3dupdate.exe DELETE ME msgsvr32 A következő Registry kulcsok szintén törlendőek: HKEY_CLASSES_ROOT\CLSID\ {E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "KasperskyAv" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "system." Tünetek Audio tartalom - Február 26-án 6 és 9 óra között a vírus véletlenszerű sípolást játszik le. On Feb 26, between 6-9am the worm makes random beeping sounds with varying pitches and rhythm. A fent említett állományok és Registry bejegyzések megléte. Váratlanul megnövekedett hálózati forgalom. Kimenő DNS kérések a következő IP címekre: 145.253.2.171 151.189.13.35 193.141.40.42 193.189.244.205 193.193.144.12 193.193.158.10 194.25.2.129 194.25.2.130 194.25.2.131 194.25.2.132 194.25.2.133 194.25.2.134 195.185.185.195 195.20.224.234 212.185.252.136 212.185.252.73 212.185.253.70 212.44.160.8 212.7.128.162 212.7.128.165 213.191.74.19 217.5.97.137 62.155.255.16 A fertőzés menete A programféreg email-en, fájlmásolással lokálisan és csatlakoztatott hálózati megosztásokon keresztül is terjed. A programféreg nem terjed nyitott megosztásokon keresztül csak abban az esetben, ha azok csatlakoztatva vannak. Eltávolítási utasítások A programféreg detektálására és tisztítására minimálisan a 4328-as adatbázisok szükségesek. A 4328-ös adatbázisok megjelenéséig az alábbi extra adatbázisok használhatók: EXTRA.DAT SUPER EXTRA.DAT
	A PiK-SYS Kft. által készített dokumentációk és információs anyagok szerzői jogi védelem alatt állnak. (C) PiK-SYS Kft., 2004.