Mikes VirusInfo VIRUS NETSKYP

Back To MYTECH
Latest Netsky Variant a Medium-Level Threat
From; eSsecurityplanet
March 22, 2004

Several security vendors Monday issued medium-level alerts for W32/Netsky-P, a mass-mailing worm that spreads by emailing itself to addresses harvested from files on the local drives.

According to Sophos, the worm copies itself to the Windows folder as FVProtect.exe and adds the following registry entry to run itself whenever the user logs on to the computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV = \FVProtect.exethis Sophos page.

W32/Netsky.p@MM is a new variant of W32/Netsky@MM that spreads through email like its predecessors. The main component is 29,568 bytes long, FSG packed, according to Network Associates, which also issued an alert Monday.

When run, the worm copies itself to the Windows directory as:

FVProtect.exe

It creates the following files in the same directory:

  • userconfig9x.dll (26,624)
  • base64.tmp (UUEncoded worm)
  • zip1.tmp (UUEncoded of worm zip archive)
  • zip2.tmp (UUEncoded of worm zip archive)
  • zip3.tmp (UUEncoded of worm zip archive)
  • zipped.tmp (worm in zip archive)
  • Where the three zip archives are different in binary.

    The following registry keys are created:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Norton Antivirus AV" = %WinDir%\FVProtect.exe
    Where %WinDir% is the Windows directory.

    The worm sends mails using SMTP. Email sent has the following characteristics:
    From: (forged address taken from infected system)
    Subject: (Taken from the following list)

  • Stolen document
  • Re:Hello
  • Mail Delivery ( failure sender address )
  • Private document
  • Re:Notify
  • Re:document
  • Re:Extended Mail System
  • Re:Proctected Mail System
  • Re:Question
  • Private document
  • Postcard
    Body: (Taken from the following list)
  • I found this document about you.
  • I have attached it to this mail.
  • Waiting for authentification.
  • Please confirm!
  • Protected message is available
  • Do not visit this illegal websites!
  • Here is my phone number.
  • I cannot believe that.
  • Your file is attached.
  • For further details see that attachment.
  • Congratulations!, your best friend.
  • Greetings from france, your friend.
  • If the message will not displayed automatically, follow the link to read the delivered message.

    Received message is available at:
    (forged web link. )

    View the various attachments and other information at this Network Associates page.

    Due to an increase in the rate of submissions, Symantec Security Response has upgraded W32.Netsky.P@mm to a Category 3 from a Category 2 threat.

    W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing program by copying itself into various shared folders.

    The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with .exe, .pif, .scr, or .zip file extension.

    This threat is compressed with FSG.

    Technical details are at this Symantec page.

    Worm_Netsky.P propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine, according to Trend Micro.

    It exploits a known vulnerability affecting Internet Explorer involving incorrect MIME Header (MS01-020), which allows the automatic execution of email attachments while an email is read or previewed. More information on this vulnerability is available here

    The email that it sends out has varying subjects, message bodies, and attachment file names. It gathers email addresses from files with certain extension names. It also attempts to propagate via network shares by dropping copies of itself on certain folders found in the affected system.

    It also has a payload of deleting specific registry keys, if they exist.

    This memory-resident worm is compressed using UPX, and runs on 95, 98, ME, NT, 2000 and XP.

    Technical details are at this Trend Micro page.

    According to F-Secure, Netsky.P's file is spread as a dropper that is a Windows PE executable 29568 bytes long, packed with FSG file. When the dropper is run, it extracts the main worm's file that is 26624 bytes long and is packed with a modified UPX file compressor. That file is a DLL, so Netsky authors started to use a new approach to installing the worm to a system.

    Upon execution Netsky.P copies itself as FVPROTECT.EXE file to Windows folder and then extracts the main worm component as USERCONFIG9X.DLL to the same folder. The worm adds a startup key for one of the dropped files into System Registry:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Norton Antivirus AV" = "%WinDir\fvprotect.exe"
    where %WinDir% represents Windows folder name.

    Additionally the worm drops the following files into Windows folder:
    zipped.tmp
    base64.tmp
    zip1.tmp
    zip2.tmp
    zip3.tmp

    These files contain UUEncoded worm's executable file and ZIP archives (3 different variants). These 3 archives contain worm's executables with the following names:
    document.txt .exe
    data.rtf .scr
    details.txt .pif

    Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:
    .pl
    .htm
    .html
    .eml
    .txt
    .php
    .asp
    .wab
    .doc
    .vbs
    .rtf
    .uin
    .shtm
    .cgi
    .dhtm
    .adb
    .tbb
    .dbx
    .sht
    .oft
    .msg
    .jsp
    .wsh
    .xml

    The worm avoids sending e-mails to addresses that contain certain substrings. View them and other information at this F-Secure page.

    Trojan/Worm Runs in Background, Allows Unauthorized Remote Access

    W32/Sdbot-GR is a backdoor Trojan and network-aware worm which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.

    W32/Sdbot-GR copies itself to the Windows system folder as wintask.exe and creates the following registry entry so that the Trojan is run when a user logs on to Windows:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlog
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winlog
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winlog
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog

    W32/Sdbot-GR remains resident, listening for commands from remote users. If the appropriate commands are received the worm will begin scanning the internet for network shares with weak administrator passwords and will attempt to copy itself to these shares.

    Instructions for removing worms are at this Sophos page.

    Witty Worm Spreads Through Network Traffic Only

    W32/Witty.worm spreads using network traffic only. There are no emails sent or files dropped on the machine. The user does not have to run anything and can't see anything of the infection process.

    Note: As no files are dropped on the machine by the worm, detection in the specified DATs and later will be detection for the worm running in memory when the machine is infected.

    When a malicious packet hits a vulnerable machine, the worm will get executed in memory and start to spread from the new victim.

    The worm first sends out 20,000 packets from UDP port 4000 to random IP addresses and random ports. Then it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops.

    The payload, writing 65K byte to a random position on the disk, will result in corrupted files. The longer a machine is infected, the more parts of the hard drive will get damaged! Tests show that a machine infected for 10 minutes was not able to reboot because of damaged system files.

    Damaged files need to be replaced from a backup--they can't be cleaned as they have been overwritten.

    Version 'BlackIce 3.6.ccf ' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not.

    A patch for BlackIce products is available here.

    According to Symantec, W32.Witty.Worm utilizes a vulnerability in ICQ parsing by ISS products. The worm sends itself to multiple IP addresses using UDP source port 4000 and a random destination port. The worm resides in memory only, and does not create files on the infected computer. The worm also has a payload that overwrites random sectors of a random hard disk.

    Technical details are at this Symantec page.

    --Compiled by Esther Shein

    Mike's VIRUS INFO PAGES
    To VIRUS INFO main
    To Mike's VIRUS INFO Page 2
    To Mike's VIRUS INFO HACKFIX TIPS Page 3
    To HACKFIX PROGRAM UPDATES Page 4
    To ME_XP Restore
    Uninstalling_Norton_AV
    Mike's VirusInfo Virus Information Feeds
    Mike's Virus Removers
    VIRUS ALERTS Feed

    Back To MYTECH


    Mike ~ It is a good day if I learned something new. Mike Mike
    Editor MikesWhatsNews MikesWhatsNews MikesWhatsNews