Title: Message
I've gotten this in my mailbox about 10 times in the last four hours, so keep an eye
out. As always, if you're not expecting an
attachment from someone, DON'T OPEN IT!
-Dave
http://story.news.yahoo.com/news?tmpl=story&cid=582&e=1&u=/nm/20040218/wr_nm/tech_worm_netskyb_dc
SEATTLE (Reuters) - A new worm called "Netsky.B"
emerged on the Internet on Wednesday, spreading by mimicking familiar e-mail
addresses and enticing users to open file attachments containing malicious
software, security experts said.
Most computer security companies rated the worm a
medium-grade threat, describing it more of an annoyance rather than a malicious
virus that destroys files or makes computer vulnerable to attacks.
"It's a very low infection rate virus," said David
Perry, global education director at Trend Micro Inc., adding
that newer, more infectious versions could be in the pipeline.
The worm, once activated, forwards itself to e-mail
addresses found on an infected computer's hard drive.
Netsky.B usually arrives in e-mail boxes appearing as
e-mail from a familiar person with an attachment that appears to be a Microsoft
Word document with the words "read it immediately" or "something for you" making
it tricky to identify.
Anti-virus software and services provider Network
Associates Inc. said the worm's activity appeared to be concentrated in Europe,
particularly the Netherlands.
Both businesses and consumers were being hit by the
fast-spreading worm.
http://vil.nai.com/vil/content/v_101034.htm
The virus may be received in an email message as
follows:
From: (forged address taken
from infected system) or skynet@xxxxxxxxx Subject:
(one of the following)
- fake
- for
- hello
- hi
- immediately
- information
- it
- read
- something
- stolen
- unknown
- warning
- you
Body : (one
of the following)
- about me
- anything ok?
- do you? that's funny
- from the chatter
- greetings
- here
- here is the document.
- here it is
- here, the cheats
- here, the introduction
- here, the serials
- i found this document about you
- I have your password!
- i hope it is not true!
- i wait for a reply!
- i'm waiting ok
- information about you
- is that from you?
- is that true?
- is that your account?
- is that your name?
- kill the writer of this document!
- my hero
- read it immediately!
- read the details.
- reply
- see you
- something about you!
- something is fool
- something is going wrong
- something is going wrong!
- stuff about you?
- take it easy
- that is bad
- thats wrong why?
- what does it mean?
- yes, really?
- you are a bad writer
- you are bad
- you earn money
- you feel the same
- you try to steal
- your name is wrong
Attachment: (one of the
following names)
- aboutyou
- attachment
- bill
- concert
- creditcard
- details
- dinner
- disco
- doc
- document
- final
- found
- friend
- jokes
- location
- mail2
- mails
- me
- message
- misc
- msg
- nomoney
- note
- object
- part2
- party
- posting
- product
- ps
- ranking
- release
- shower
- story
- stuff
- swimmingpool
- talk
- textfile
- topseller
- website
May be followed by:
Followed by:
The attachment may have a double-extension, such as
.rtf.pif, and may be contained in a .ZIP file.
The mailing component harvests address from the local
system. Files with the following extensions are targeted:
- .adb
- .asp
- .dbx
- .doc
- .eml
- .htm
- .html
- .msg
- .oft
- .php
- .pl
- .rtf
- .sht
- .tbb
- .txt
- .uin
- .vbs
- .wab
The virus sends itself via SMTP - constructing
messages using its own SMTP engine. It queries the DNS server for the MX
record and connects directly to the MTA of the targeted domain and sends the
message.
System changes
When executed, a
fake error message may be displayed.
The worm copies itself into %windir% folder using the
filename SERVICES.EXE. A registry run key is created to load the worm at system
start.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"service" = C:\WINNT\services.exe -serv
Network propagation/Peer to Peer
propagation The worm copies itself to directories named
share or sharing on the local system and on
mapped network drives. This will result in propagation via KaZaa, Bearshare,
Limewire, and other P2P application that use shared folder names containing the
words share or sharing. The filenames are included in the worm and chosen
randomly:
- angels.pif
- cool screensaver.scr
- dictionary.doc.exe
- dolly_buster.jpg.pif
- doom2.doc.pif
- e.book.doc.exe
- e-book.archive.doc.exe
- eminem - lick my pussy.mp3.pif
- hardcore porn.jpg.exe
- how to hack.doc.exe
- matrix.scr
- max payne 2.crack.exe
- nero.7.exe
- office_crack.exe
- photoshop 9 crack.exe
- porno.scr
- programming basics.doc.exe
- rfc compilation.doc.exe
- serial.txt.exe
- sex sex sex sex.doc.exe
- strippoker.exe
- virii.scr
- win longhorn.doc.exe
- winxp_crack.exe
The worm also drops numerous ZIP
files containing the worm (22,016 bytes). The compressed file
frequently uses a double extension like .doc.pif, .rtf.com, .rtf.scr). The
list of ZIP names is hardcoded in the virus body:
- aboutyou.zip
- attachment.zip
- bill.zip
- concert.zip
- creditcard.zip
- details.zip
- dinner.zip
- disco.zip
- final.zip
- found.zip
- friend.zip
- jokes.zip
- location.zip
- mail2.zip
- mails.zip
- me.zip
- message.zip
- misc.zip
- msg.zip
- nomoney.zip
- note.zip
- object.zip
- part2.zip
- party.zip
- posting.zip
- product.zip
- ps.zip
- ranking.zip
- release.zip
- shower.zip
- story.zip
- stuff.zip
- swimmingpool.zip
- talk.zip
- textfile.zip
- topseller.zip
- website.zip
Mydoom virus removal
The virus removes
the following registry values to deactivate Mydoom.a and Mydoom.b.
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Taskmon
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Explorer
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Taskmon
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
Explorer
- HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Other registry keys removed are as follows:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
KasperskyAv
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
system.
|