Mikes VirusInfo VIRUS NETSKYP |
Several security vendors Monday issued medium-level alerts for W32/Netsky-P, a mass-mailing worm that spreads by emailing itself to addresses harvested from files on the local drives.
According to Sophos, the worm copies itself to the Windows folder as FVProtect.exe and adds the following registry entry to run itself whenever the user logs on to the computer:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
=
W32/Netsky.p@MM is a new variant of W32/Netsky@MM that spreads through email like its predecessors. The main component is 29,568 bytes long, FSG packed, according to Network Associates, which also issued an alert Monday.
When run, the worm copies itself to the Windows directory as:
FVProtect.exe
It creates the following files in the same directory:
Where the three zip archives are different in binary.
The following registry keys are created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Norton Antivirus AV" = %WinDir%\FVProtect.exe
The worm sends mails using SMTP. Email sent has the following characteristics:
Received message is available at:
View the various attachments and other information at this Network Associates page.
Due to an increase in the rate of submissions, Symantec Security Response has upgraded W32.Netsky.P@mm to a Category 3 from a Category 2 threat.
W32.Netsky.P@mm (also known as W32.Netsky.Q@mm) is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing program by copying itself into various shared folders.
The From line of the email is spoofed, and its Subject line and message body of the email vary. The attachment name varies with .exe, .pif, .scr, or .zip file extension.
This threat is compressed with FSG.
Technical details are at this Symantec page.
Worm_Netsky.P propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine, according to Trend Micro.
It exploits a known vulnerability affecting Internet Explorer involving incorrect MIME Header (MS01-020), which allows the automatic execution of email attachments while an email is read or previewed. More information on this vulnerability is available here
The email that it sends out has varying subjects, message bodies, and attachment file names. It gathers email addresses from files with certain extension names. It also attempts to propagate via network shares by dropping copies of itself on certain folders found in the affected system.
It also has a payload of deleting specific registry keys, if they exist.
This memory-resident worm is compressed using UPX, and runs on 95, 98, ME, NT, 2000 and XP.
Technical details are at this Trend Micro page.
According to F-Secure, Netsky.P's file is spread as a dropper that is a Windows PE executable 29568 bytes long, packed with FSG file. When the dropper is run, it extracts the main worm's file that is 26624 bytes long and is packed with a modified UPX file compressor. That file is a DLL, so Netsky authors started to use a new approach to installing the worm to a system.
Upon execution Netsky.P copies itself as FVPROTECT.EXE file to Windows folder and then extracts the main worm component as USERCONFIG9X.DLL to the same folder. The worm adds a startup key for one of the dropped files into System Registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Additionally the worm drops the following files into Windows folder:
These files contain UUEncoded worm's executable file and ZIP archives (3 different variants). These 3 archives contain worm's executables with the following names:
Before spreading in e-mail the worm collects e-mail addresses. It scans all files on all drives from C: to Z: except CD-ROM drives. If any file with the following extensions is found, the worm opens it and searches for e-mail addresses there:
The worm avoids sending e-mails to addresses that contain certain substrings. View them and other information at this F-Secure page.
Trojan/Worm Runs in Background, Allows Unauthorized Remote Access
W32/Sdbot-GR is a backdoor Trojan and network-aware worm which runs in the background as a service process and allows unauthorised remote access to the computer via IRC channels.
W32/Sdbot-GR copies itself to the Windows system folder as wintask.exe and creates the following registry entry so that the Trojan is run when a user logs on to Windows:
W32/Sdbot-GR remains resident, listening for commands from remote users. If the appropriate commands are received the worm will begin scanning the internet for network shares with weak administrator passwords and will attempt to copy itself to these shares.
Instructions for removing worms are at this Sophos page.
Witty Worm Spreads Through Network Traffic Only
W32/Witty.worm spreads using network traffic only. There are no emails sent or files dropped on the machine. The user does not have to run anything and can't see anything of the infection process.
Note: As no files are dropped on the machine by the worm, detection in the specified DATs and later will be detection for the worm running in memory when the machine is infected.
When a malicious packet hits a vulnerable machine, the worm will get executed in memory and start to spread from the new victim.
The worm first sends out 20,000 packets from UDP port 4000 to random IP addresses and random ports. Then it writes 64kb of the exploited DLL to a random position on the harddrive. After that, it starts spreading again and loops.
The payload, writing 65K byte to a random position on the disk, will result in corrupted files. The longer a machine is infected, the more parts of the hard drive will get damaged! Tests show that a machine infected for 10 minutes was not able to reboot because of damaged system files.
Damaged files need to be replaced from a backup--they can't be cleaned as they have been overwritten.
Version 'BlackIce 3.6.ccf ' is affected by this worm, the latest available version (BlackIce 3.6.ccg) as well as version 3.5 and prior are not.
A patch for BlackIce products is available here.
According to Symantec, W32.Witty.Worm utilizes a vulnerability in ICQ parsing by ISS products. The worm sends itself to multiple IP addresses using UDP source port 4000 and a random destination port. The worm resides in memory only, and does not create files on the infected computer. The worm also has a payload that overwrites random sectors of a random hard disk.
Technical details are at this Symantec page.
--Compiled by Esther Shein
Mike's VIRUS INFO PAGES
Where %WinDir% is the Windows directory.
From: (forged address taken from infected system)
Subject: (Taken from the following list)
Body: (Taken from the following list)
(forged web link. )
"Norton Antivirus AV" = "%WinDir\fvprotect.exe"
where %WinDir% represents Windows folder name.
zipped.tmp
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp
document.txt
data.rtf
details.txt
.pl
.htm
.html
.eml
.txt
.php
.asp
.wab
.doc
.vbs
.rtf
.uin
.shtm
.cgi
.dhtm
.adb
.tbb
.dbx
.sht
.oft
.msg
.jsp
.wsh
.xml
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\winlog
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winlog
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\winlog
To
VIRUS INFO main
To
Mike's VIRUS INFO Page 2
To
Mike's VIRUS INFO HACKFIX TIPS Page 3
To
HACKFIX PROGRAM UPDATES Page 4
To ME_XP Restore
Uninstalling_Norton_AV
Mike's
VirusInfo Virus Information Feeds
Mike's
Virus Removers
VIRUS
ALERTS Feed
Mike ~ It is a good day if I learned something new. Mike
Mike
Editor MikesWhatsNews MikesWhatsNews MikesWhatsNews