[virusinfo] Netsky Variants Continue to Thrive, Wreak Havoc

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 20 Apr 2004 14:52:38 -0700

From; eSecurity Planet:

http://nl.internet.com/ct.html?rtr=on&s=1,ul5,1,a0fm,9ba5,1std,6jmd

Netsky Variants Continue to Thrive, Wreak Havoc
April 20, 2004


Several vendors Tuesday reported the detection of the W32/Netsky.X worm,
which is designed to spread, using its own SMTP engine, to as many computers
as possible. 

According to Panda Software this new variant of Netsky so far in 2004 has
caused numerous incidents to computers around the world. Its propagation is
on the increase, although it has yet to reach alarming proportions.

Netsky.X is designed to spread, using its own SMTP engine, to as many
computers as possible. It searches for e-mail addresses to send itself to in
files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx,
.asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx,
.pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml,
.mht, .mmf, .nch and ppt.

The X variant of Netsky is transmitted in a message with the following
characteristics:

- The e-mail address of the sender is faked to confuse the recipient.

- The message carrying the virus can appear in various languages depending
on the country indicated in the domain of the recipient's e-mail address.
So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message
will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese
or Swedish respectively. If there is a generic domain, the message is in
English. Curiously, if the domain is .tc (Turks and Caicos Islands), the
message includes the text "mutlu etmek okumak belgili tanimlik belge."

- It includes a file with a .pif extension which contains the worm's code.
The file size is 26,112 bytes and it is packed with "tElock".

- Whatever the language, the text encourages the user to open the
attachment.

Netsky.X is programmed to carry out a denial of service attack between April
28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.

More information on Netsky.X is available in Panda Software's Virus
Encyclopedia. Users can also monitor the evolution of the Netsky family of
worms here.
http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=4841


TrendLabs has also reported receiving several samples of Worm_Netsky.X from
Germany, Poland and France. It uses its own Simple Mail Transfer Protocol
(SMTP) engine to propagate via email with varying subjects, message bodies,
and attachment file names. It obtains email addresses from files with
specific extension names in all available drives. It uses the gathered
addresses to spoof the From and To fields of the email it sends out. View a
sample email and other information at this Trend Micro page.
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.X



Due to an increased rate of submissions on Tuesday, Symantec Security
Response has upgraded W32.Netsky.X@mm to a Category 3 level threat from a
Category 2 threat.

W32.Netsky.X@mm is a variant of W32.Netsky.W@mm, which scans for email
addresses on all non-CD-ROM drives on the infected computer. Then, the worm
uses its own SMTP engine to send itself to the email addresses that it
finds.

The From line of the email is spoofed, and its Subject, Message, and
Attachment vary. The attachment has a .pif extension.

This threat is compressed with tELock.

Technical details are at this Symantec page.
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.x@xxxxxxx#
technicaldetails


According to McAfee, W32/Netsky.x@MM bears the following characteristics: 

constructs messages using its own SMTP engine 
harvests email addresses from the victim machine 
spoofs the From: address of messages 
delivers a DoS attack on certain web sites. 
Email addresses are harvested from the victim machine. 
Files with the certain extensions are searched. 
View them and other information at this McAfee page.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=104475


Additionally, Sophos Tuesday issued an alert for other Netsky variants.

W32/Netsky-V, a worm that uses a combination of email, HTTP and FTP to
spread. The worm itself is a Windows program (EXE) file. W32/Netsky-V
searches a hard disk for email addresses and sends email directly to them.
Note that these emails do not contain an attached copy of W32/Netsky-V.
Instead, they contain HTML instructions to fetch a copy of the worm. The
emails use a subject and message randomly selected from the following:

Subject line:
Mail Delivery System failure
Mail delivery failed
Server Status failure
Gateway Status failure 

Visible message text:
The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message... 

W32/Netsky-V opens up two TCP ports on your computer. An HTTP service
listens on port 5557 and an FTP service listens on port 5556. These ports
are used to "serve up" the virus to downstream victims to whom you have sent
copies of the email mentioned above. 

More information is at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32netskyv.html


W32/Netsky-Y is a mass mailing worm with a backdoor component. 

The worm copies itself to the Windows folder using the name FirewallSvr.exe,
creates a file called f---you_bagle.txt (a base64 encoded form of the worm)
and sets the following registry entry to autostart on user login: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ FirewallSvr=
C:\\FirewallSvr.exe

W32/Netsky-Y has a backdoor component listening for connections on TCP port
1549 allowing an unauthorized program to download and execute arbitrary code
on the infected computer. 

The worm harvests email addresses from files on the local drives with the
following extensions: 

adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx, mdx, mht, mmf,
msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt, uin, vbs, wab, wsh, xls,
xml. 

View the form generated emails typically have at this Sophos page.
http://www.sophos.com/virusinfo/analyses/w32netskyy.html
--Compiled by Esther Shein 
___________________________________________________


Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Netsky Variants Continue to Thrive, Wreak Havoc

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---