 |
Users Online |
 |
|
There are: 0 registered users and 1 guests online now. |
|
|
 |
|
 |
 |
Concursuri |
 |
|
Concurs No 1 Ulei de samburi de struguri
 Atentie : Se respecta regulamentul de pe acel site
Concurs No 2 PROFIBR
 Inscrie-te pe site, trimite un e-mail la profibr@as.ro cu adresa ta postala si vei primi un cadou surpriza acasa.
Trimite SMS Gratis Inscriete pe site, aduna puncte si trimite sms. |
|
|
 |
|
 |
|
2004-03-19 13:56 - Win32/Netsky.B@mm | Posted by lawwrentiu | more from same (Virusi - Antivirusi) |  | This is an new internet worm. It arrives in an e-mail as a ZIP archive attachment. The size of the ZIP file is around 22Kb. The worm code was packed with the well known UPX compression utility.
The worm starts by checking if other copy of itself is active in the system (using a mutex called AdmSkynetJklS003). Next, it will pop up a message box with the title "Error" and the message "The file could not be opened!".
Evilness: Potentially destructive (corrupts data while replicating)
Analyst: Adrian Marinescu
http://www.rav.ro/ |
|  | This is an new internet worm. It arrives in an e-mail as a ZIP archive attachment. The size of the ZIP file is around 22Kb. The worm code was packed with the well known UPX compression utility.
The worm starts by checking if other copy of itself is active in the system (using a mutex called AdmSkynetJklS003). Next, it will pop up a message box with the title "Error" and the message "The file could not be opened!".
Netsky will copy itself into the Windows directory as "services.exe" and add a value into the HKLM\Software\Microsoft\Windows\CurrentVersion\Run - this will allow the worm code to be executed each time a user logs on. Next, Netsky attempts to remove the registry entries used by Mydoom.A and .B. Also, the following registry values are deleted:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\system.
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\system.
Next, Netsky searches for drives from 'C'' to 'Z' that are not CD-ROMs. Inside each folder with the name containing "share" or "sharing", a copy of the worm will be dropped using one of the following names:
"winxp_crack.exe", "dolly_buster.jpg.pif", "strippoker.exe", "photoshop 9 crack.exe", "matrix.scr", "porno.scr", "angels.pif", "hardcore porn.jpg.exe", "office_crack.exe", "serial.txt.exe", "cool screensaver.scr", "eminem - lick my pussy.mp3.pif", "nero.7.exe", "virii.scr", "e-book.archive.doc.exe", "max payne 2.crack.exe", "how to hack.doc.exe", "programming basics.doc.exe", "e.book.doc.exe", "win longhorn.doc.exe", "dictionary.doc.exe", "rfc compilation.doc.exe", "sex sex sex sex.doc.exe", "doom2.doc.pif".
Before continuing the spreading routine, Netsky waits for an available internet connection. When such a connection is detected, the mass mailing routine will be executed. That routine will harvest for e-mail addresses inside the following file types:
".eml", ".txt", ".php", ".pl", ".htm", ".html", ".vbs", ".rtf", ".uin", ".asp", ".wab", ".doc", ".adb", ".tbb", ".dbx", ".sht", ".oft", ".msg".
The subject is randomly selected from the following list:
"hi",
"hello",
"read it immediately",
"something for you",
"warning",
"information",
"stolen",
"fake",
"unknown"
The filename is randomly selected from the following possible variants:
document, msg, doc, talk, message, creditcard, details, attachment, me, stuff, posting, textfile, concert, information, note, bill, swimmingpool, product, topseller, ps, shower, aboutyou, nomoney, found, story, mails, website, friend, jokes, location, final, release, dinner, ranking, object, mail2, part2, disco, party, misc, #n#o#t#n#e#t#s#k#y#-#s#k#y#n#e#t#!,
The first extension is one of the following, but might be also missing: .txt, .rtf, .doc, .htm
The second extension (or first if the one above is missing) is selected from the following list:
.exe, .scr, .com, .pif
The message body is randomly selected from the following list:
"anything ok?",
"what does it mean?",
"ok",
"i'm waiting",
"read the details.",
"here is the document.",
"read it immediately!",
"my hero",
"here",
"is that true?",
"is that your name?",
"is that your account?",
"i wait for a reply!",
"is that from you?",
"you are a bad writer",
"I have your password!",
"something about you!",
"kill the writer of this document!",
"i hope it is not true!",
"your name is wrong",
"i found this document about you",
"yes, really?",
"that is bad",
"here it is",
"see you",
"greetings",
"stuff about you?",
"something is going wrong!",
"information about you",
"about me",
"from the chatter",
"here, the serials",
"here, the introduction",
"here, the cheats",
"that's funny",
"do you?",
"reply",
"take it easy",
"why?",
"thats wrong",
"misc",
"you earn money",
"you feel the same",
"you try to steal",
"you are bad",
"something is going wrong",
"something is fool".
Evilness: Potentially destructive (corrupts data while replicating)
Analyst: Adrian Marinescu
http://www.rav.ro/ |
|
 |
Calendar |
 |
|
March 2025
|
Su
|
Mo
|
Tu
|
We
|
Th
|
Fr
|
Sa
|
|
|
|
|
|
|
1
|
2
|
3
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
18
|
19
|
20
|
21
|
22
|
23
|
24
|
25
|
26
|
27
|
28
|
29
|
30
|
31
|
|
|
|
|
|
|
|
|
 |
|
 |
|