Weekly Virus News

[TCH-Dick]

New Variant on the Loose - WORM_NETSKY.C (High Risk)

------------------------------------------------------------------------

WORM_NETSKY.C is a new variant of the NETSKY worm. It is a memory-resident

worm that propagates via email using its own SMTP (Simple Mail Transfer Protocol)

engine, and via shared folders by dropping copies of itself in various folders

with the string "shar" in their names located under the Windows directory. If

the current computer system date is February 26, 2004 and the time is between

6am and 9am, the worm's payload causes the computer to generate beeping sounds.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

 

Upon execution, this malware creates a mutex that checks for its existence on the

system. It then creates several threads that are responsible for mass-mailing,

finding email addresses, and executing its payload. This malware also drops a copy

of itself in the Windows folder using the file name WINLOGON.EXE.

 

The malware creates a registry entry that allows it to automatically execute at

every system startup. It also deletes 6 registry entries that are added by variants

of WORM_MYDOOM.

 

This worm uses its own SMTP engine to propagate. It sends email using a spoofed

"From:" address, any of several specific "Subject:" lines, any of several specific

"Message Body:" contents, and any of several specific "Attachment:" names. The

attachment, which occasionally arrives zipped, may have the extension name .pif,

.com, .scr, or .exe. It may also have double extension names where the first

extension name of the attached file is .txt, .rtf, .doc, or .htm. In random instances

it generates email attachments with blank spaces in order to hide the second extension

of the attachment.

 

It gathers target email addresses by searching all fixed drives (non-CDROM) for

files with the following extensions:

 

DHTM

CGI

SHTM

MSG

OFT

SHT

DBX

TBB

ADB

DOC

WAB

ASP

UIN

RTF

VBS

HTML

HTM

PL

PHP

TXT

EML

 

As it scans each of the above-mentioned files, the worm skips email addresses that

contain the following text strings, in order to evade detection of security software associated with these strings:

 

"abuse"

"antivi"

"aspersky"

"avp"

"cafee"

"fbi"

"f-pro"

"f-secur"

"icrosoft"

"itdefender"

"orman"

"orton"

"spam"

"ymantec"

 

The malware searches for mail exchangers that match its preferences on each of the

DNS servers, and uses them as SMTP servers.

 

If you would like to scan your computer for WORM_NETSKY.C or thousands of other

worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,

online virus scanner at: http://housecall.trendmicro.com/

 

WORM_NETSKY.C is detected and cleaned by Trend Micro pattern file #781 and above.

 

For additional information about WORM_NETSKY.C please visit: http://www.trendmicro.com/vinfo/virusencyc...e=WORM_NETSKY.C

 

Top 10 Most Prevalent Global Malware

(from February 19, 2004 to February 26, 2004)

------------------------------------------------------------------------

1. WORM_MYDOOM.A

2. WORM_NETSKY.B

3. WORM_LOVGATE.G

4. TROJ_DASMIN.E

5. BKDR_COREFLOOD.F

6. PE_DUMARU.A

7. PE_NIMDA.E

8. JAVA_BYTEVER.A

9. PE_VALLA.A

10. PE_PARITE.A

[Head Guru]

Our servers are getting pounded right now.

 

We are doing everything in our power to keep email up and running

[TCH-Bruce]

We are doing everything in our power to keep email up and running

And so far, your doing a great job! Thumbs Up

[Madmanmcp]

I found two here that got thru if you want them...nevermind, I had McAfee delete them

[TCH-Thomas]

Theres a Netsky.D running around now too, so make sure your antivirus is updated.

 

Update

Just saw on symantec.com that theres a E and F variant too.

Edited March 3, 2004 by Jikrantz