Email-Worm.Win32.Netsky.c
Jest to robak internetowy rozprzestrzeniaj膮cy si臋 jako za艂膮cznik zainfekowanych wiadomo艣ci e-mail. Ma posta膰 pliku PE EXE o rozmiarze oko艂o 23 KB (kompresja Petite, rozmiar po rozpakowaniu - oko艂o 29 KB).
Robak kopiuje si臋 z nazw膮 winlogon.exe do folderu Windows i tworzy w rejestrze systemowym klucz auto-run:
"ICQ Net" = "%Folder Windows%winlogon.exe -stealth"
W celu oznaczenia zainfekowanego komputera robak tworzy w pami臋ci unikatowy identyfikator [SkyNet.cz]SystemsMutex.
Szkodnik tworzy w艂asne kopie na dyskach od C: do Z: w folderach, kt贸rych nazwy zawieraj膮 s艂owo share. Nazwy kopii s膮 wybierane z poni偶szej listy:
- Adobe Premiere 9.exe
- Adobe Photoshop 9 full.exe
- Ahead Nero 7.exe
- Microsoft WinXP Crack.exe
- Teen Porn 16.jpg.pif
- Best Matrix Screensaver.scr
- Porno Screensaver.scr
- Dark Angels.pif
- 3D Studio Max 3dsmax.exe
- Keygen 4 all appz.exe
- Windows Sourcecode.doc.exe
- Norton Antivirus 2004.exe
- Gimp 1.5 Full with Key.exe
- Partitionsmagic 9.0.exe
- Star Office 8.exe
- XXX hardcore pic.jpg.exe
- Microsoft Office 2003 Crack.exe
- Serials.txt.exe
- Screensaver.scr
- Full album.mp3.pif
- Virii Sourcecode.scr
- E-Book Archive.rtf.exe
- Doom 3 Beta.exe
- How to hack.doc.exe
- Learn Programming.doc.exe
- WinXP eBook.doc.exe
- Win Longhorn Beta.exe
- Dictionary English - France.doc.exe
- RFC Basics Full Edition.doc.exe
- 1000 Sex and more.rtf.exe
- Magix Video Deluxe 4.exe
- Clone DVD 5.exe
- MS Service Pack 5.exe
- ACDSee 9.exe
- Visual Studio Net Crack.exe
- Cracks & Warez Archive.exe
- WinAmp 12 full.exe
- DivX 7.0 final.exe
- Opera.exe
- IE58.1 full setup.exe
- Smashing the stack.rtf.exe
- Ulead Keygen.exe
- Lightwave SE Update.exe
- The Sims 3 crack.exe
Szkodnik tworzy tak偶e w艂asne kopie w formacie ZIP.
Adresy ofiar pobierane s膮 z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:
- EML
- TXT
- PHP
- PL
- HTM
- HTML
- VBS
- RTF
- UIN
- ASP
- WAB
- DOC
- ADB
- TBB
- DBX
- SHT
- OFT
- MSG
- SHTM
- CGI
- DHTM
Robak wysy艂a zainfekowane wiadomo艣ci e-mail przy u偶yciu w艂asnego silnika SMTP, a tak偶e podejmuje pr贸by dystrybuowania si臋 za po艣rednictwem nast臋puj膮cych serwer贸w SMTP:
- 62.155.255.16
- 145.253.2.171
- 151.189.13.35
- 193.141.40.42
- 193.189.244.205
- 193.193.144.12
- 193.193.158.10
- 194.25.2.129
- 194.25.2.130
- 194.25.2.131
- 194.25.2.132
- 194.25.2.133
- 194.25.2.134
- 195.185.185.195
- 195.20.224.234
- 212.7.128.162
- 212.7.128.165
- 212.44.160.8
- 212.185.253.70
- 212.185.252.73
- 212.185.252.136
- 213.191.74.19
- 217.5.97.137
Zainfekowane wiadomo艣ci posiadaj膮 nast臋puj膮ce pola:
- Temat:
Delivery Failed Status report question trust me hey Re: excuse me read it immediatelly hi Re: does it? Yep important hello dear Re: unknown fake? warning moin what's up? info Re: information Here is it stolen private? good morning illegal... error take it re: Re: Re: Re: Re: you? something for you exception Re: hey excuse me Re: hi Re: does it? Re: important Re: hello believe me Question denied! notification Re: <5664ddff?$???2> lol last chance! I'm back! its me notice!
Temat mo偶e by膰 tak偶e pusty.
- Tre艣膰:
what means that? help attached <...> ok... pwd? I wait for an answer! abuse? is that yours? you are a bad writer I don't know your document! I have your password! you won the rk! something about you! classroom test of you? kill the writer of this document! old photos about you? i hope thats not true! your name is wrong! does it match? i found this document about you. time to fear? really? do you know this???? i know your document! did you sent it to me? this file is bad! why should I? pages? her. another pic, have fun! ... :-> test it child porn? greetings doc? trial? what? ;-) i need you! correct it! see this! it's a secret! this is nothing for kids! it's so similar as yours! is that your car? do not give up! great job! here is the $%%454$ you are sexy in this doc! incest? let it! you look like an ape! you look like an rat? be mad? are you cranky? bob the builder did you know that? money? xxx ? stuff about you? your document is not good something is going wrong! your photo is poor information about you? the information is wrong! doc about me? kill him on the picture! from the chatter (my photo!) from your lover ;-) love letter? here, the serials are you a teacherin the picture? here, the introduction is that criminal? here, the cheats i like your doc! what do you think about it? that's a funny text. that's not the truth? do you have? instruct me about this! i lost that i am speachless about your document! is that the reality? reply msg your design is not good! important? your TAN number? take it easy! why? you are naked in this document! thats wrong! your icq number? i am desperate modifications? your personal record? yes. misc. and so on. see you! your attachment? verify it. you earn money, see the attachment! is that your attachment? is that your website? you feel the same. meaning of that? possible? you have tried to steal! did you ask me for that? you are bad your job? (I found that!) is that possible? something is going ... something is not ok did you know from this document? wrong calculation! (see the attachment!... never! poor quality! good work! excellent! great! i don't think so. pretty pic about you? docs? schoolfriend? Warning from the Government 09580985869gj ? i want more... here is the next one! attachi# did you see her already? is that your wife? is that your creditcard? is that your photo? do you think so? do you have the bug also? already? forgotten? drugs? ... does it matter? i have received this. best? the truth? your body? your eyes? your face? File is self-decryting. File is damaged. File is bad. i saw you last week! xxx service your account is expired! you cannot hide yourself! (see photo) copyright? what still? who? how? bad gateway only encrypted! personal message! my advice.... i've found it about you <<>> Attached Msg scanned by norton antivirus great xxx! man or women? child or adult? here is yours! a crazy doc about you xxx about you? i don't want your xxx pics! is that your car? is this information about you? is that your privacy? is that your TAN? is that your message? is that your cd? is that your finger? your are naked? is that your porn pic? is that your work? is that your family? is that your beast? is that your account? is that your slip? is that your domain? are you the naked one? are you the naked person! are you the one? does it belong to you? do you have sex in the picture? that is interesting... i wait for your comment about it. such as yours? read the details. gonna? here is the document. *lol* read it immediately! i found that about you! your hero in the picture? yours? here is it. illegal st. of you? is that true? account? is that your name? picture? message? is that your account? you have a sexy body in the pic! your lie is going around the world! lets talk about it! do you know the thief? are you a photographer? you have done a mistake in the document... its private from me do not show this anyone! new patch is available! this is an attachment message! in your mind? Microsoft fast food... Your bill. try this patch! do you have an orgasm in the picture? Transaction failed. Show the doc! I 've found your bill! see your name! You are infected. Read the details! here is my advice here is my photo! here is the feel free to use it does it belong to you? Login required! Read the attachment! your document is silly! is the pic a fake? Antispam is turned off. See file! Authentification required. Read the att... solve the problem! do not use my document! do not open the attachment! do not visit the pages on the list I se... explain! tell me more about your document! Your provider will be disabled! Instant patches
Tre艣膰 wiadomo艣ci mo偶e r贸wnie偶 pusta.
- Nazwa za艂膮cznika:
- part2
- msg2
- disco
- freaky
- visa
- party
- material
- misc
- nothing
- transfer
- auction
- warez
- undefinied
- violence
- update
- masturbation
- injection
- naked1
- naked2
- tear
- music
- paypal
- document
- associal
- msg
- yours
- doc
- wife
- talk
- message
- response
- creditcard
- description
- details
- attachment
- pic
- me
- trash
- card
- stuff
- poster
- posting
- portmoney
- textfile
- moonlight
- concert
- sexy
- information
- news
- note
- number_phone
- bill
- mydate
- swimmingpool
- class_photos
- product
- old_photos
- topseller
- ps
- important
- shower
- myaunt
- aboutyou
- yours
- nomoney
- birth
- found
- death
- story
- worker
- mails
- letter
- more
- website
- regards
- regid
- friend
- unfolds
- jokes
- doc_ang
- your_stuff
- location
- final
- schock
- release
- webcam
- dinner
- intimate stuff
- sexual
- ranking
- object
- secrets
- mail2
- attach2
- id
- privacy
- word_doc
- image
- incest
Za艂膮czniki mog膮 posiada膰 nast臋puj膮ce rozszerzenia:
- TXT
- RTF
- DOC
- HTM
w pewnych okoliczno艣ciach pojawia si臋 tak偶e drugie rozszerzenie (jedno z poni偶szych):
- EXE
- SCR
- COM
- PIF
Szkodnik mo偶e tak偶e wysy艂a膰 swoje kopie w postaci archiwum ZIP.
Robak usuwa z rejestru systemowego nast臋puj膮ce klucze:
- Taskmon
- Explorer
- Windows Services Host
- KasperskyAV
- System.
- msgsvr32
- DELETE ME
- service
- Sentry
- Windows Services Host
- HKCRCLSID{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
InProcServer32 - HKCUSoftwareMicrosoftWindowsCurrentVersion
ExplorerPINF - HKLMSystemCurrentControlSetServicesWksPatch
oraz nast臋puj膮ce warto艣ci kluczy:
- d3dupdate.exe
- au.exe
- OLE
Pocz膮wszy od 27 lutego, mi臋dzy godzin膮 6:00, a 9:00 robak podejmuje pr贸by generowania d藕wi臋k贸w.