[24hoursupport] alert: W32/Netsky-B

  • From: "Mike" <mikebike@xxxxxxxxx>
  • To: 24hoursupport@xxxxxxxxxxxxx
  • Date: Wed, 18 Feb 2004 20:38:58 -0800

 

Name: W32/Netsky-B
Also Known As:  W32/Netsky.b@MM [McAfee], W32/Netsky.B.worm [Panda], 
WORM_NETSKY.B [Trend Micro], Moodown.B [F-Secure], 
I-Worm.Moodown.b [Kaspersky] 
Variants:  W32.Netsky@mm 

Risk: High
Type: Win32 worm
Date: 18 February 2004
Description (from Sophos)
W32/Netsky-B is a worm that spreads by email and Windows network shares. 
W32/Netsky-B copies itself into the Windows folder as services.exe. 

In order to run automatically when Windows starts up W32/Netsky-B creates
the following registry entry: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
service= "C:\\WINDOWS\\services.exe -serv" 

W32/Netsky-B searches all mapped drives for files with the following
extensions in order to find email adresses: MSG, OFT, SHT, DBX, TBB, ADB,
DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML. 

W32/Netsky-B searches drives C: to Z: and attempts to copy itself into
folders with names containing the string "share" or "sharing". 

The file names used by the worm for copying itself to shared folders are:
angels.pif
cool screensaver.scr
dictionary.doc.exe
dolly_buster.jpg.pif
doom2.doc.pif
e-book.archive.doc.exe
e.book.doc.exe
eminem - lick my pussy.mp3.pif
hardcore porn.jpg.exe
how to hack.doc.exe
matrix.scr
max payne 2.crack.exe
nero.7.exe
office_crack.exe
photoshop 9 crack.exe
porno.scr
programming basics.doc.exe
rfc compilation.doc.exe
serial.txt.exe
sex sex sex sex.doc.exe
strippoker.exe
virii.scr
win longhorn.doc.exe
winxp_crack.exe 

W32/Netsky-B may arrive in an email with the following characteristics:
Subject line: randomly chosen from -
unknown
fake
stolen
information
warning
something for you
read it immediately
hello 

Message text: randomly chosen from -
something is fool
something is going wrong
you are bad
you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you
your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
what does it mean?
anything ok? 

Attached file: one of the following filenames with a double file extension -
misc
party
disco
part2
mail2
object
ranking
dinner
release
final
location
jokes
friend
website
mails
story
found
nomoney
aboutyou
shower
topseller
product
swimmingpool
bill
note
concert
textfile
posting
stuff
attachment
details
creditcard
message
ps
msg
talk
document
unknown
fake
stolen
information
warning
something for you
read it immediately
hello 

The extension is combination of DOC, RTF, HTM, PIF, COM, SCR and EXE.
W32/Netsky-B may also send a ZIP file. 

The email address of the sender will be spoofed. 

When the attachment is opened W32/Netsky-B may display a fake message box
"The file could not be opened". 

W32/Netsky-B attempts to remove registry entries related to few recent
viruses, including W32/MyDoom-A and W32/MyDoom-B. 
 

Download the IDE file from:
http://www.sophos.com/downloads/ide/netsky-b.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
_____________________________________________

More information about W32/Netsky-B can be found at:

CERT;
http://www.cert.org/incident_notes/IN-2004-02.html

Computer Associates;
http://www3.ca.com/virusinfo/virus.aspx?ID=38332

Kaspersky:
http://www.viruslist.com/eng/alert.html?id=983343

Panda:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=44
815

Sorphos:
http://www.sophos.com/virusinfo/analyses/w32netskyb.html

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@xxxxxxx
W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine to send
itself to the email addresses it finds when scanning the hard drives and
mapped drives. This worm also searches drives C through Z for folder names
containing "Share" or "Sharing," and then copies itself to those folders. 

Symantec Security Response has developed a removal tool to clean the
infections of W32.Netsky.B@mm.
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.b@xxxxxxxx
al.tool.html

Trend;
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B


For worm removal instructions;
http://www3.telus.net/mikebike/worm_removal.htm

For worm removal instructions;
http://www3.telus.net/mikebike/worm_removal.htm
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
A Technical Support Alliance  and OWTA Charter Member




For a web-based membership management utility and information on list policies, 
please see http://nibec.com/24hoursupport/

To unsubscribe, send a blank email to 24hoursupport-request@xxxxxxxxxxxxx with 
"unsubscribe" (without quotes) in the subject.


Other related posts:

  • » [24hoursupport] alert: W32/Netsky-B