Jump to content
Sign in to follow this  
TCH-Dick

Weekly Virus News

Recommended Posts

New Variant on the Loose - WORM_NETSKY.C (High Risk)

------------------------------------------------------------------------

WORM_NETSKY.C is a new variant of the NETSKY worm. It is a memory-resident

worm that propagates via email using its own SMTP (Simple Mail Transfer Protocol)

engine, and via shared folders by dropping copies of itself in various folders

with the string "shar" in their names located under the Windows directory. If

the current computer system date is February 26, 2004 and the time is between

6am and 9am, the worm's payload causes the computer to generate beeping sounds.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP.

 

Upon execution, this malware creates a mutex that checks for its existence on the

system. It then creates several threads that are responsible for mass-mailing,

finding email addresses, and executing its payload. This malware also drops a copy

of itself in the Windows folder using the file name WINLOGON.EXE.

 

The malware creates a registry entry that allows it to automatically execute at

every system startup. It also deletes 6 registry entries that are added by variants

of WORM_MYDOOM.

 

This worm uses its own SMTP engine to propagate. It sends email using a spoofed

"From:" address, any of several specific "Subject:" lines, any of several specific

"Message Body:" contents, and any of several specific "Attachment:" names. The

attachment, which occasionally arrives zipped, may have the extension name .pif,

.com, .scr, or .exe. It may also have double extension names where the first

extension name of the attached file is .txt, .rtf, .doc, or .htm. In random instances

it generates email attachments with blank spaces in order to hide the second extension

of the attachment.

 

It gathers target email addresses by searching all fixed drives (non-CDROM) for

files with the following extensions:

 

DHTM

CGI

SHTM

MSG

OFT

SHT

DBX

TBB

ADB

DOC

WAB

ASP

UIN

RTF

VBS

HTML

HTM

PL

PHP

TXT

EML

 

As it scans each of the above-mentioned files, the worm skips email addresses that

contain the following text strings, in order to evade detection of security software associated with these strings:

 

"abuse"

"antivi"

"aspersky"

"avp"

"cafee"

"fbi"

"f-pro"

"f-secur"

"icrosoft"

"itdefender"

"orman"

"orton"

"spam"

"ymantec"

 

The malware searches for mail exchangers that match its preferences on each of the

DNS servers, and uses them as SMTP servers.

 

If you would like to scan your computer for WORM_NETSKY.C or thousands of other

worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free,

online virus scanner at: http://housecall.trendmicro.com/

 

WORM_NETSKY.C is detected and cleaned by Trend Micro pattern file #781 and above.

 

For additional information about WORM_NETSKY.C please visit: http://www.trendmicro.com/vinfo/virusencyc...e=WORM_NETSKY.C

 

Top 10 Most Prevalent Global Malware

(from February 19, 2004 to February 26, 2004)

------------------------------------------------------------------------

1. WORM_MYDOOM.A

2. WORM_NETSKY.B

3. WORM_LOVGATE.G

4. TROJ_DASMIN.E

5. BKDR_COREFLOOD.F

6. PE_DUMARU.A

7. PE_NIMDA.E

8. JAVA_BYTEVER.A

9. PE_VALLA.A

10. PE_PARITE.A

Share this post


Link to post
Share on other sites

Our servers are getting pounded right now.

 

We are doing everything in our power to keep email up and running :huh:

Share this post


Link to post
Share on other sites
We are doing everything in our power to keep email up and running :huh:

And so far, your doing a great job! Thumbs Up

Share this post


Link to post
Share on other sites

Theres a Netsky.D running around now too, so make sure your antivirus is updated.

 

Update

Just saw on symantec.com that theres a E and F variant too.

Edited by Jikrantz

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...