From: eSecurity Planet http://nl.internet.com/ct.html?rtr=on&s=1,ttt,1,lyzv,dcpx,1std,6jmd Mass-Mailing Worm Has Backdoor Component April 8, 2004 Several vendors Thursday issued alerts for W32/Netsky-U, a mass mailing worm with a backdoor component, which is functionally identical to W32/Netsky-S. According to Sophos, both worms copy themselves to the Windows folder using the name EasyAV.exe, create a file called uinmzertinmds.opm (a base64 encoded form of the worm) and set the following registry entry to auto start on user login: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EasyAV = \EasyAV.exe W32/Netsky-S and W32/Netsky-U have a backdoor component listening for connections on TCP port 6789 allowing an unauthorized program to download and execute arbitrary code on the infected computer. The worms harvest email addresses from files on the local drives with the following extensions: SHT, ADB, TBB, WAB, DBX, OFT, DOC, MSG More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32netskys.html According to Symantec, W32.Netsky.U@mm is a mass-mailing worm and a variant of W32.Netsky.S@mm. This worm also contains backdoor functionality and may perform a Denial of Service (DoS) attack against predetermined Web sites. The Subject and Attachment name will vary. The attachment will have a .pif file extension. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.u@xxxxxxx# technicaldetails According to McAfee, W32/Netsky.U@mm is very similar to W32/Netsky.t@MM . It bears the following characteristics: constructs messages using its own SMTP engine harvests email addresses from the victim machine spoofs the From: address of messages opens a port on the victim machine (TCP 6789) delivers a DoS attack on certain web sites upon a specific date condition Email addresses are harvested from the victim machine. Files with certain extensions are searched. View them and other information at this McAfee page. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101167 Netsky.U is a worm that spreads by copying itself, without infecting other files. Its main objective is to collapse computers and networks, preventing users from working with the affected computer, according to Panda Software. Technical details are at this Panda Software page. http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&id virus=46191 Worm, Trojan, Runs in Background, Allows Unauthorized Computer Access W32/SdBot-CM is a network worm and a backdoor trojan that runs in the background as a service process and allows unauthorized remote access to the computer via IRC channels. When executed W32/SdBot-CM copies itself to the Windows system folder with the filename msgfix.exe and sets the following registry entries with the path to the copy: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Configuration Loader HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ Configuration Loader HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ Configuration Loader W32/SdBot-CM attempts to copy itself to remote network shares with weak passwords. More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32sdbotcm.html Trojan Has Two Components Troj/Webber-H is a two component backdoor Trojan. The downloader component of the Trojan appears to have been mass-mailed out. When run the Trojan downloads a remote file to C:\windows\usermade.exe and executes it. The downloaded component is a password stealing Trojan that attempts to extract sensitive information from several locations on the system and sends it to a remote computer. The downloaded component copies itself as a file with a random name into the Windows system folder and drops and executes a DLL file, also with a random name, that runs the copy of the Trojan. In order to be started automatically the Trojan creates certain registry entries. View them and other information at this Sophos page. http://www.sophos.com/virusinfo/analyses/trojwebberh.html Backdoor Trojan Provides Proxy Server on Random Port Troj/Bagle-X is a proxy backdoor Trojan. The Trojan runs continuously in the background providing a proxy server on a random port number above 2000. Data can be routed to other computers via the proxy in order to bypass access restrictions and to hide the IP address of the source computer. The proxy may be used to forward SPAM email. When first run the Trojan copies itself to the Windows system folder as window.exe and creates the following registry entry, so that window.exe is run automatically on startup: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\window.exe = \window.exe More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/trojbaglex.html Trojan Exploits Unpatched IE Vulnerability VBS/Psyme is a Trojan that exploits an unpatched (at the time of this writing) vulnerability in Internet Explorer. The vulnerability allows for the writing, and overwriting, of local files by exploiting the ADODB.Stream object. There are several variants of this trojan. Therefore this description is design to give an overview of how the trojan works. The trojan exists as VBScript. This script contains instructions to download a remote executable, save it to a specified location on the local disk, and then execute it. More information is at this McAfee page. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100749 Virus May Not Let Infected Systems Restart W32.Tunk.A is a file-prepending virus. From May 2004 onward, infected systems may fail to restart. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.tunk.a.html#techn icaldetails --Compiled by Esther Shein __________________________________________________ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member