From; eSecurity Planet: http://nl.internet.com/ct.html?rtr=on&s=1,ul5,1,a0fm,9ba5,1std,6jmd Netsky Variants Continue to Thrive, Wreak Havoc April 20, 2004 Several vendors Tuesday reported the detection of the W32/Netsky.X worm, which is designed to spread, using its own SMTP engine, to as many computers as possible. According to Panda Software this new variant of Netsky so far in 2004 has caused numerous incidents to computers around the world. Its propagation is on the increase, although it has yet to reach alarming proportions. Netsky.X is designed to spread, using its own SMTP engine, to as many computers as possible. It searches for e-mail addresses to send itself to in files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx, .asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx, .pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml, .mht, .mmf, .nch and ppt. The X variant of Netsky is transmitted in a message with the following characteristics: - The e-mail address of the sender is faked to confuse the recipient. - The message carrying the virus can appear in various languages depending on the country indicated in the domain of the recipient's e-mail address. So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese or Swedish respectively. If there is a generic domain, the message is in English. Curiously, if the domain is .tc (Turks and Caicos Islands), the message includes the text "mutlu etmek okumak belgili tanimlik belge." - It includes a file with a .pif extension which contains the worm's code. The file size is 26,112 bytes and it is packed with "tElock". - Whatever the language, the text encourages the user to open the attachment. Netsky.X is programmed to carry out a denial of service attack between April 28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch. More information on Netsky.X is available in Panda Software's Virus Encyclopedia. Users can also monitor the evolution of the Netsky family of worms here. http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=4841 TrendLabs has also reported receiving several samples of Worm_Netsky.X from Germany, Poland and France. It uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email with varying subjects, message bodies, and attachment file names. It obtains email addresses from files with specific extension names in all available drives. It uses the gathered addresses to spoof the From and To fields of the email it sends out. View a sample email and other information at this Trend Micro page. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.X Due to an increased rate of submissions on Tuesday, Symantec Security Response has upgraded W32.Netsky.X@mm to a Category 3 level threat from a Category 2 threat. W32.Netsky.X@mm is a variant of W32.Netsky.W@mm, which scans for email addresses on all non-CD-ROM drives on the infected computer. Then, the worm uses its own SMTP engine to send itself to the email addresses that it finds. The From line of the email is spoofed, and its Subject, Message, and Attachment vary. The attachment has a .pif extension. This threat is compressed with tELock. Technical details are at this Symantec page. http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.x@xxxxxxx# technicaldetails According to McAfee, W32/Netsky.x@MM bears the following characteristics: constructs messages using its own SMTP engine harvests email addresses from the victim machine spoofs the From: address of messages delivers a DoS attack on certain web sites. Email addresses are harvested from the victim machine. Files with the certain extensions are searched. View them and other information at this McAfee page. http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=104475 Additionally, Sophos Tuesday issued an alert for other Netsky variants. W32/Netsky-V, a worm that uses a combination of email, HTTP and FTP to spread. The worm itself is a Windows program (EXE) file. W32/Netsky-V searches a hard disk for email addresses and sends email directly to them. Note that these emails do not contain an attached copy of W32/Netsky-V. Instead, they contain HTML instructions to fetch a copy of the worm. The emails use a subject and message randomly selected from the following: Subject line: Mail Delivery System failure Mail delivery failed Server Status failure Gateway Status failure Visible message text: The processing of this message can take a few minutes... Converting message. Please wait... Please wait while loading failed message... Please wait while converting the message... W32/Netsky-V opens up two TCP ports on your computer. An HTTP service listens on port 5557 and an FTP service listens on port 5556. These ports are used to "serve up" the virus to downstream victims to whom you have sent copies of the email mentioned above. More information is at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32netskyv.html W32/Netsky-Y is a mass mailing worm with a backdoor component. The worm copies itself to the Windows folder using the name FirewallSvr.exe, creates a file called f---you_bagle.txt (a base64 encoded form of the worm) and sets the following registry entry to autostart on user login: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ FirewallSvr= C:\\FirewallSvr.exe W32/Netsky-Y has a backdoor component listening for connections on TCP port 1549 allowing an unauthorized program to download and execute arbitrary code on the infected computer. The worm harvests email addresses from files on the local drives with the following extensions: adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx, mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt, uin, vbs, wab, wsh, xls, xml. View the form generated emails typically have at this Sophos page. http://www.sophos.com/virusinfo/analyses/w32netskyy.html --Compiled by Esther Shein ___________________________________________________ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member