Web-Design : Articole : News : Materiale : Info-IT

Virus Info
Template
DexOnline
Home
News
Articles
Forums
Downloads
Pic of the Day
Links
Register
Statistics
Contact us

Users Online

There are:
0 registered users
and 1 guests online now.

Bancul Zilei

Concursuri

Concurs No 1
Gel soak off

Concurs Sponsorizat de www.FiiDestept.Com

Atentie : Se respecta regulamentul de pe acel site

Concurs No 2
PROFIBR

Inscrie-te pe site, trimite un e-mail la profibr@as.ro cu adresa ta postala si vei primi un cadou surpriza acasa.

Trimite SMS Gratis
Inscriete pe site, aduna puncte si trimite sms.

CHIP.RO

2004-03-26 09:25 - Win32.Netsky.D@mm

Posted by lawwrentiu

more from same (Virusi - Antivirusi)

Nume: Win32.Netsky.D@mm
Alias: W32/Netsky.d@MM
Tip: Executable Worm Mass Mailer
Marime: 17424 bytes (packed)
Descoperit: 01.03.2004
Detectat: 01.03.2004
Raspandire: Ridicata
Risc: Mic
ITW: Da

Simptome:
Prezenta urmatoarelor fisiere in directorul windows(%WINDIR%)
"winlogon.exe"

Prezenta urmatoarei intrari in cheia de registrii "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" :
"ICQ Net" = "winlogon.exe -stealth"

Descriere tehnica:
Aceasta varianta a virusului Netsky (.D) se raspandeste doar prin e-mail (spre deosebire de variantele anterioare care se raspandeau si prin aplicatii de tip P2P). Se autotrimite la toate adresele de e-mail gasite in calculatorul infectat.

Creaza si trimite e-mailuri cu urmatoarele caracteristici:

Subiect - ales aleatoriu dintre urmatoarele:
"Re: Re: Document"
"Re: Re: Thanks!"
"Re: Thanks!"
"Re: Your document"
"Re: Here is the document"
"Re: Your picture"
"Re: Re: Message"
"Re: Hi"
"Re: Hello"
"Re: Re: Re: Your document"
"Re: Here"
"Re: Your music"
"Re: Your software"
"Re: Approved"
"Re: Details"
"Re: Excel file"
"Re: Word file"
"Re: My details"
"Re: Your details"
"Re: Your bill"
"Re: Your text"
"Re: Your archive"
"Re: Your letter"
"Re: Your product"
"Re: Your website"

Corp mesaj- ales aleatoriu dintre urmatoarele:
"Your document is attached."
"Here is the file."
"See the attached file for details."
"Please have a look at the attached file."
"Please read the attached file."
"Your file is attached."

Atasament ales aleatoriu dintre urmatoarele:
"your_document.pif"
"your_document.pif"
"document.pif"
"message_part2.pif"
"your_document.pif"
"document_full.pif"
"your_picture.pif"
"message_details.pif"
"your_file.pif"
"your_picture.pif"
"document_4351.pif"
"yours.pif"
"mp3music.pif"
"application.pif"
"all_document.pif"
"my_details.pif"
"document_excel.pif"
"document_word.pif"
"my_details.pif"
"your_details.pif"
"your_bill.pif"
"your_text.pif"
"your_archive.pif"
"your_letter.pif"
"your_product.pif"
"your_website.pif"

Odata executat atasamentul, virusul face urmatoarele:

-se copiaza in directorul Windows ca si "winlogon.exe";

- adauga urmatoarea cheie de registrii: KLM\Software\Microsoft\Windows\CurrentVersion\Run registry key: ICQ net = winlogon.exe -stealth pentru a fi automat pornit la fiecare pornire a windows-ului.

- dezactiveaza procesele unor produse antivirus si a unor alti virusi cum ar fi
Win32.Mydoom.A@mm si Win32.Mydoom.B@mm prin stergerea unor chei de registrii.

- scaneaza calculatoarele infectate in cautarea de adrese de e-mail in fisiere a caror extensie este una din urmatoarele:

".eml"
".txt"
".php"
".pl"
".htm"
".html"
".vbs"
".rtf"
".uin"
".asp"
".wab"
".doc"
".adb"
".tbb"
".dbx"
".sht"
".oft"
".msg"
".shtm"
".cgi"
".dhtm"

- Pe data de 01 martie 2004 intre 6.00 si 9.00, virusul genereaza in boxele calculatorului infectat sunete cu tonalitati si durate diferite.

- Aceasta varianta (.D) are o rutina de raspandire prin e-mail imbunatatita, permitandu-i sa se autotrimita de cateva ori mai repede decat variantele precedente (.A- .C)

- Viermele evita sa se retrimita la adrese care contin umatoarele siruri de caractere:
"icrosoft"
"antivi"
"ymantec"
"spam"
"avp"
"f-secur"
"itdefender"
"orman"
"cafee"
"aspersky"
"f-pro"
"orton"
"fbi"
"abuse"
"messagelabs"
"skynet"

Instructiuni de dezinfectie:
BitDefender va sterge fisierele infectate.

Utilitar de dezinfectie:
Download utilitar de dezinfectie
Virus analizat de:
Adrian Gostin
BitDefender Virus Researcher

Articol preluat de pe http://www.bitdefender.ro/bd/site/virusinfo.php?menu_id=1&v_id=185
Postat de : Butea Aurel Laurentiu

Send your comment

We apologize, but you need to login to post comments. If you don't have an account, why don't you register? It's free!

Useri - Inscrisi

Welcome!