|
Summary of W32/Netsky.B@mm |
| Alias: | I-worm.Moodown.b |
| Length: |
22KB |
| Discovered: |
18 Feb 2004 |
| Definition files: |
18 Feb 2004 |
| Risk Level: |
High |
| Distribution: | High |
|
|
|
| Brief Description |
| This is a mass mailer that uses its own mail engine; it attempts to improve spreading by copying itself to directories called "Share" or "Sharing". The attachments can be zip files or have double extensions. |
| Technical Description |
This is a mass mailer that uses its own mail engine; it attempts to improve spreading by copying itself to directories called "Share" or "Sharing". The attachments can be zip files or have double extensions.
When executed it checks if it is already resident in memory if so it will terminate else it displays a dialog box, see below.
After the user closes that dialog box the worm creates a copy of itself in the windows directory named services.exe. It puts itself in the registry so it gets executed on every startup. The worm achieves that by adding a value called service in the following key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
It also makes an attempt to disable certain software by removing the following values from the registry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\system.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\KasperskyAv
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\KasperskyAv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Explorer
HKEY_CLASSES_ROOTCLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32\Taskmon
To create forged emails it harvests email addresses from documents that have the following extension, it sends itself to found emails and they are also used to spoof the email sender.
.msg .oft .sht .dbx .tbb .adb .doc .wab .asp .uin .rtf .vbs .html .htm .pl .php .txt .eml
The message in the mail body is selected by random from the strings below.
something is fool
something is going wrong
you are bad you try to steal
you feel the same
you earn money
thats wrong
why?
take it easy
reply
do you?
that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you
here it is
that is bad
yes, really?
i found this document about you your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero
read it immediately!
here is the document.
read the details.
i'm waiting
ok what does it mean?
anything ok?
And the subject can be one of the following words/sentences:
unknown
fake
stolen
information
warning
something for you
read it immediately
hello
hi
The name of the attachments is selected from the list below. And by random it uses double extension,
for example ranking.doc.pif. It can also be a zip archive.
misc
party
disco
part2
mail2
object
ranking
dinner
release
final
location
jokes
friend
website
mails
story
found
nomoney
aboutyou
shower
ps
topseller
product
swimmingpool
bill
note
concert
textfile
posting stuff
me
attachment
details
creditcard
message
talk
doc
msg
document
The worm tries to improve its spreading by copying itself to every directory called "Share" and "Sharing".
It goes through drive A to Z on the local machine and searches for those directories. If found,
it copies itself into those directories using the following file names.
winxp_crack.exe
dolly_buster.jpg.pif
strippoker.exe
photoshop 9 crack.exe
matrix.scr
porno.scr
angelis.pif
hardcore porn.jpg.exe
office_crack.exe
serial.txt.exe
cool screensaver.scr
eminem - lick my pussy.mp3.pif
nero.7.exe
virii.scr
e-book.archive.doc.exe
max payne 2.crack.exe
how to hack.doc.exe
programming basics.doc.exe
e.book.doc.exe
win longhorn.doc.exe
dictionary.doc.exe
rfc compilation.doc.exe
sex sex sex sex.doc.exe
doom2.doc.pif
|
| Removal Instructions |
If you run the OnDemand Scanner regularly it can be used to disinfect but some viruses, such as Netsky.B@mm, cannot be disinfected in Windows. This is caused by the fact that the virus infects files that Windows uses while running. Thus F-Prot Antivirus cannot access the files to disinfect and it is necessary to disinfect using the DOS scanner (for Windows 95/98/ME) or the Command-line scanner (for Windows NT/2000/XP).
For general disinfection help click here.
After disinfection remove this value from the registry.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"service"="C:\\WINDOWS\\services.exe -serv"
|
| Guidelines on Safe Computing |
- Make sure you always have the
latest
version of F-Prot Antivirus
installed on your computer and
update the virus signature files
regularly:
- Be extremely careful when opening e-mail from anyone you do not know. Attachments are especially dangerous. Never run an attachment unless you know exactly what it is, even if it appears to have been sent to you by someone you know. Most worms have the ability to falsify the "From" address.
- Make sure that your operating system
is up-to-date. If you are using Windows,
use Windows Automatic Updates and
download the service packs when they are
released. For more information on keeping
Windows up-to-date, please visit
Microsoft's
Windows Update web site.
- If you are using
Internet Explorer / Outlook Express
or Office / Outlook, make
sure that you always have the latest versions. Old versions may contain
security holes that are used by virus writers to access your computer. Please visit
Microsoft's
Windows Update web site to update Internet Explorer and Outlook Express and
Microsoft's
Office Update web site to update Office and Outlook.
- Use a firewall. When you are browsing the Internet, the firewall creates a shield between your computer and
possible malicious content on the Internet. For more information click
here.
- Scan all removable media (CD-ROMs, floppy disks, USB keys, external hard drives etc.) before you open or run any content on it.
- Scan all files that you receive through the IRC, MSN, ICQ, Kazaa and other such on-line services.
- Use software that detects ad-ware and spyware. For more information click
here.
|
Ragnar Gisli - Senior virus researcher FRISK Software International |
|
