Menu
Virus Info
Template
DexOnline
Home
News
Articles
Forums
Downloads
Pic of the Day
Links
Register
Statistics
Contact us
Login
Login:

Password:

remember me

Register, it's free!
Lost your password?
Users Online
There are:
0 registered users
and 3 guests online now.
Bancul Zilei
Concursuri
Concurs No 1
Ulei de rozmarin


Atentie : Se respecta regulamentul de pe acel site

Concurs No 2
PROFIBR


Inscrie-te pe site, trimite un e-mail la profibr@as.ro cu adresa ta postala si vei primi un cadou surpriza acasa.

Trimite SMS Gratis
Inscriete pe site, aduna puncte si trimite sms.
CHIP.RO

 
2004-03-19 13:56 - Win32/Netsky.B@mm
Posted by lawwrentiumore from same (Virusi - Antivirusi)
Virusi - AntivirusiThis is an new internet worm. It arrives in an e-mail as a ZIP archive attachment. The size of the ZIP file is around 22Kb. The worm code was packed with the well known UPX compression utility.

The worm starts by checking if other copy of itself is active in the system (using a mutex called AdmSkynetJklS003). Next, it will pop up a message box with the title "Error" and the message "The file could not be opened!".

Evilness: Potentially destructive (corrupts data while replicating)
Analyst: Adrian Marinescu
http://www.rav.ro/
This is an new internet worm. It arrives in an e-mail as a ZIP archive attachment. The size of the ZIP file is around 22Kb. The worm code was packed with the well known UPX compression utility.

The worm starts by checking if other copy of itself is active in the system (using a mutex called AdmSkynetJklS003). Next, it will pop up a message box with the title "Error" and the message "The file could not be opened!".

Netsky will copy itself into the Windows directory as "services.exe" and add a value into the HKLM\Software\Microsoft\Windows\CurrentVersion\Run - this will allow the worm code to be executed each time a user logs on. Next, Netsky attempts to remove the registry entries used by Mydoom.A and .B. Also, the following registry values are deleted:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system.

Next, Netsky searches for drives from 'C'' to 'Z' that are not CD-ROMs. Inside each folder with the name containing "share" or "sharing", a copy of the worm will be dropped using one of the following names:

"winxp_crack.exe", "dolly_buster.jpg.pif", "strippoker.exe", "photoshop 9 crack.exe", "matrix.scr", "porno.scr", "angels.pif", "hardcore porn.jpg.exe", "office_crack.exe", "serial.txt.exe", "cool screensaver.scr", "eminem - lick my pussy.mp3.pif", "nero.7.exe", "virii.scr", "e-book.archive.doc.exe", "max payne 2.crack.exe", "how to hack.doc.exe", "programming basics.doc.exe", "e.book.doc.exe", "win longhorn.doc.exe", "dictionary.doc.exe", "rfc compilation.doc.exe", "sex sex sex sex.doc.exe", "doom2.doc.pif".

Before continuing the spreading routine, Netsky waits for an available internet connection. When such a connection is detected, the mass mailing routine will be executed. That routine will harvest for e-mail addresses inside the following file types:

".eml", ".txt", ".php", ".pl", ".htm", ".html", ".vbs", ".rtf", ".uin", ".asp", ".wab", ".doc", ".adb", ".tbb", ".dbx", ".sht", ".oft", ".msg".


The subject is randomly selected from the following list:

"hi",
"hello",
"read it immediately",
"something for you",
"warning",
"information",
"stolen",
"fake",
"unknown"

The filename is randomly selected from the following possible variants:

document, msg, doc, talk, message, creditcard, details, attachment, me, stuff, posting, textfile, concert, information, note, bill, swimmingpool, product, topseller, ps, shower, aboutyou, nomoney, found, story, mails, website, friend, jokes, location, final, release, dinner, ranking, object, mail2, part2, disco, party, misc, #n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!,

The first extension is one of the following, but might be also missing: .txt, .rtf, .doc, .htm

The second extension (or first if the one above is missing) is selected from the following list:
.exe, .scr, .com, .pif

The message body is randomly selected from the following list:


"anything ok?",
"what does it mean?",
"ok",
"i'm waiting",
"read the details.",
"here is the document.",
"read it immediately!",
"my hero",
"here",
"is that true?",
"is that your name?",
"is that your account?",
"i wait for a reply!",
"is that from you?",
"you are a bad writer",
"I have your password!",
"something about you!",
"kill the writer of this document!",
"i hope it is not true!",
"your name is wrong",
"i found this document about you",
"yes, really?",
"that is bad",
"here it is",
"see you",
"greetings",
"stuff about you?",
"something is going wrong!",
"information about you",
"about me",
"from the chatter",
"here, the serials",
"here, the introduction",
"here, the cheats",
"that's funny",
"do you?",
"reply",
"take it easy",
"why?",
"thats wrong",
"misc",
"you earn money",
"you feel the same",
"you try to steal",
"you are bad",
"something is going wrong",
"something is fool".

Evilness: Potentially destructive (corrupts data while replicating)
Analyst: Adrian Marinescu
http://www.rav.ro/

Send your comment
We apologize, but you need to login to post comments. If you don't have an account, why don't you register? It's free!
Useri - Inscrisi
Welcome!
Fokstexx
incicymoizita
pypeeaseque
exedayAnendut
Beanyenzype
epatriche
cyppop
carmenpaduret
Calendar
March 2025
Su
Mo
Tu
We
Th
Fr
Sa






1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31





Ultimii vizitatori !
Fokstexx
incicymoizita
pypeeaseque
exedayAnendut
Beanyenzype
lawwrentiu
cyppop
carmenpaduret
Ora - Locala
Faza zilei
Afiliate Program's


Neogen Ro




Powered by
Laurentiu Solution's
 Acest site a fost realizat de Laurentiu Solution's & Scriptman Design
  Page processed in 0.0144 seconds - 16 queries