Email-Worm.Win32.NetSky.q

Jest to robak internetowy rozprzestrzeniaj膮cy si臋 jako za艂膮cznik zainfekowanych wiadomo艣ci e-mail, za po艣rednictwem sieci P2P oraz przy u偶yciu dost臋pnych katalog贸w HTTP i FTP. Ma posta膰 pliku PE EXE o rozmiarze oko艂o 29 KB (kompresja FSG, rozmiar po rozpakowaniu - oko艂o 40 KB).

Instalacja

Robak kopiuje si臋 z nazw膮 fvprotect.exe do folderu Windows i tworzy w rejestrze systemowym klucz auto-run:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
"Norton Antivirus AV" = %Folder Windowsfvprotect.exe

Dodatkowo robak tworzy w folderze Windows nast臋puj膮ce pliki:

  • userconfig9x.dll
  • zipped.tmp
  • base64.tmp
  • zip1.tmp
  • zip2.tmp
  • zip3.tmp

S膮 to kopie robaka w formacie UEE oraz archiwa ZIP zawieraj膮ce jego kod. Wewn膮trz archiw贸w mog膮 by膰 zapisane nast臋puj膮ce pliki:

  • document.txt.exe
  • data.rtf.scr
  • details.txt.pif

W celu oznaczenia zainfekowanego komputera robak tworzy w pami臋ci unikatowy identyfikator
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.

Rozprzestrzenianie - poczta elektroniczna

Adresy ofiar pobierane s膮 z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:

  • EML
  • TXT
  • PHP
  • ASP
  • WAB
  • DOC
  • VBS
  • RTF
  • UIN
  • SHTM
  • CGI
  • DHTM
  • PL
  • HTM
  • HTML
  • ADB
  • TBB
  • DBX
  • SHT
  • OFT
  • MSG
  • JSP
  • WSH
  • XML

Robak wysy艂a zainfekowane wiadomo艣ci e-mail przy u偶yciu w艂asnego silnika SMTP, a tak偶e podejmuje pr贸b臋 nawi膮zania bezpo艣redniego po艂膮czenia z serwerem odbiorcy.

Zainfekowane wiadomo艣ci e-mail

  • Adres nadawcy - wybierany losowo spo艣r贸d znalezionych w zainfekowanym systemie

  • Temat:

    • Re: Hi
    • Re: Hello
    • Re: Encrypted Mail
    • Re: Extended Mail
    • Re: Status
    • Re: Notify
    • Re: SMTP Server
    • Re: Mail Server
    • Re: Delivery Server
    • Re: Request
    • Re: Bad Request
    • Re: Failure
    • Re: Thank you for delivery
    • Re: Test
    • Re: Administration
    • Re: Message Error
    • Re: Error
    • Re: Extended Mail System
    • Re: Secure SMTP Message
    • Re: Protected Mail Request
    • Re: Protected Mail System
    • Re: Protected Mail Delivery
    • Re: Secure delivery
    • Re: Delivery Protection
    • Re: Mail Authentification
    • Re: List
    • Re: Question
    • Re: Proof of concept
    • Re: Developement
    • Re: Message
    • Re: Error in document
    • Re: Free porn
    • Re: Sex pictures
    • Re: Submit a Virus Sample
    • Re: Virus Sample
    • Re: Old times
    • Re: Old photos
    • Re: Sample
    • Re: Its me
    • Re: Is that your document?
    • Re: Approved document
    • Re: Your document
    • Protected Mail System
    • Mail Authentication
    • Is that your password?
    • Private document
    • Stolen document
    • Mail Account
    • Administrator
    • Illegal Website
    • Internet Provider Abuse
    • Thank you!
    • Congratulations!
    • Postcard
    • Your day
    • Mail Delivery
    • Error
    • Shocking document
    • You cannot do that!
    • hi
    • hello
    • Fwd: Warning again
    • Notice again
    • Spamed?
    • Spam
    • 0i09u5rug08r89589gjrg
    • Re: A!p$ghsa
    • Important m$6h?3p
    • Do you?
    • Does it matter?
    • News
    • Information
    • I love you!
    • I cannot forget you!
    • here
    • your
    • my
    • thanks!
    • approved
    • corrected
    • patched
    • improved
    • important
    • read it immediately

    robak tworzy tak偶e wiadomo艣ci posiadaj膮ce losowy temat.

  • Tre艣膰:

    • Please see the attached file for details
    • Please read the attached file!
    • Your document is attached.
    • Please read the document.
    • Your file is attached.
    • Your document is attached.
    • Please confirm the document.
    • Please read the important document.
    • See the file.
    • Requested file.
    • Authentication required.
    • Your document is attached to this mail.
    • I have attached your document.
    • I have received your document. The corrected document is attached.
    • Your document.
    • Your details.
    • Please confirm!
    • Please answer quickly!
    • Thank you for your request, your details are attached!
    • Thanks!
    • am shocked about your document!
    • Let'us be short: you have no experience in writing letters!!!
    • Try this, or nothing!
    • Here is it!
    • Do not visit this illegal websites!
    • You have downloaded these illegal cracks?
    • Here is my icq list.
    • Here is my phone number.
    • I have visited this website and I found you in the spammer list. Is that true?
    • Are you a spammer? (I found your email on a spammer website!?!)
    • po44u90ugjid-k9z5894z0
    • 9u049u89gh89fsdpokofkdpbm3-4i
    • Please r564g!he4a56a3haafdogu#mfn3o
    • SMTP Error #201
    • See the ghg5%&6gfz65!4Hf55d!46gfgf
    • Server Error #203
    • Your photo, uahhh.... , you are naked!
    • You have written a very good text, excellent, good work!
    • Your archive is attached.
    • Monthly news report.
    • lovely, :-)
    • your big love, ;-)
    • I hope you accept the result!
    • The sample is attached!
    • Your important document, correction is finished!
    • Important message, do not show this anyone!
    • Here is the website. ;-)
    • My favourite page.
    • I have corrected your document.
    • I have attached the sample.
    • Your bill is attached to this mail.
    • You were registered to the pay system.
    • For more details see the attachment.
    • Binary message is available.
    • Message has been sent as a binary attachment.
    • Can you confirm it?
    • I have attached it to this mail.
    • Please read the attached file.
    • Your document is attached.
    • Encrypted message is available.
    • Protected message is attached.
    • Please confirm my request.
    • ESMTP [Secure Mail System #334]: Secure message is attached.
    • Partial message is available.
    • Waiting for a Response. Please read the attachment.
    • First part of the secure mail is available.
    • For more details see the attachment.
    • For further details see the attachment.
    • Your requested mail has been attached.
    • Protected Mail System Test.
    • Secure Mail System Beta Test.
    • Forwarded message is available.
    • Delivered message is attached.
    • Encrypted message is available.
    • Please read the attachment to get the message.
    • Follow the instructions to read the message.
    • Please authenticate the secure message.
    • Protected message is attached.
    • Waiting for authentification.
    • Protected message is available.
    • Bad Gateway: The message has been attached.
    • SMTP: Please confirm the attached message.
    • You got a new message.
    • Now a new message is available.
    • New message is available.
    • You have received an extended message. Please read the instructions.
    • I noticed that you have visited illegal websites.
    • See the name in the list!
    • You have visited illegal websites. I have a big list of the websites you surfed.
    • Your mail account is expired. See the details to reactivate it.
    • Your mail account has been closed. For further details see the document.
    • The file is protected with the password ghj001. I have attached your file. Your password is jkl44563.
    • The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature. Sincerly, Robert Ferrew
    • Greetings from france, your friend. Have a look at these.
    • Best wishes, your friend.
    • Congratulations!, your best friend.
    • I found this document about you. I cannot believe that.
    • Try this game ;-) I hope the patch works.

    Ko艅cowa cz臋艣膰 tre艣ci wiadomo艣ci mo偶e zawiera膰 fa艂szyw膮 informacj臋 potwierdzaj膮c膮, 偶e e-mail zosta艂 przetestowany przez program antywirusowy:

    • +++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com
    • +++ Attachment: No Virus found +++ Bitdefender AntiVirus - www.bitdefender.com
    • +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com
    • +++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com
    • +++ Attachment: No Virus found +++ Panda AntiVirus - www.pandasoftware.com
    • +++ Attachment: No Virus found ++++ Norman AntiVirus - www.norman.com
    • ++++ Attachment: No Virus found ++++ F-Secure AntiVirus - www.f-secure.com
    • ++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.de

  • Za艂膮czniki cz臋sto posiadaj膮 podw贸jne rozszerzenie. Pierwsze to DOC lub TXT, natomiast drugie jest wybierane z poni偶szej listy:

    • EXE
    • PIF
    • SCR
    • ZIP

    Robak mo偶e r贸wnie偶 za艂膮cza膰 do wiadomo艣ci archiwa ZIP.

    Szkodnik nie wysy艂a swoich kopii pod adresy zawieraj膮ce nast臋puj膮ce teksty:

    • @antivi
    • @avp
    • @bitdefender
    • @fbi
    • @f-pro
    • @freeav
    • @f-secur
    • @kaspersky
    • @mcafee
    • @messagel
    • @microsof
    • @norman
    • @norton
    • @pandasof
    • @skynet
    • @sophos
    • @spam
    • @symantec
    • @viruslis
    • abuse@
    • noreply@
    • ntivir
    • reports@
    • spam@

    W pewnych okoliczno艣ciach robak wykorzystuje w swoich wiadomo艣膰iach luk臋 IFRAME. W takim wypadku je偶eli u偶ytkownik nie zaistalowa艂 odpowiedniej 艂aty udost臋pnionej przez firm臋 Microsoft, uruchomienie zainfekowanego za艂acznika nast膮pi automatycznie podczas przegl膮dania wiadomo艣ci.

Rozprzestrzenianie - sieci P2P

Robak umieszcza swoje kopie w folderach, kt贸rych nazwy zawieraj膮 poni偶sze teksty:

  • bear
  • donkey
  • download
  • ftp
  • htdocs
  • http
  • icq
  • kazaa
  • lime
  • morpheus
  • mule
  • my shared folder
  • shar
  • shared files
  • upload

Kopie robaka mog膮 posiada膰 nast臋puj膮ce nazwy:

  • Kazaa Lite 4.0 new.exe
  • Britney Spears Sexy archive.doc.exe
  • Kazaa new.exe
  • Britney Spears porn.jpg.exe
  • Harry Potter all e.book.doc.exe
  • Britney sex xxx.jpg.exe
  • Harry Potter 1-6 book.txt.exe
  • Britney Spears blowjob.jpg.exe
  • Harry Potter e book.doc.exe
  • Britney Spears cumshot.jpg.exe
  • Harry Potter.doc.exe
  • Britney Spears fuck.jpg.exe
  • Harry Potter game.exe
  • Britney Spears.jpg.exe
  • Harry Potter 5.mpg.exe
  • Britney Spears and Eminem porn.jpg.exe
  • Matrix.mpg.exe
  • Britney Spears Song text archive.doc.exe
  • Britney Spears full album.mp3.exe
  • Eminem.mp3.exe
  • Britney Spears.mp3.exe
  • Eminem Song text archive.doc.exe
  • Eminem Sexy archive.doc.exe
  • Eminem full album.mp3.exe
  • Eminem Spears porn.jpg.exe
  • Ringtones.mp3.exe
  • Eminem sex xxx.jpg.exe
  • Ringtones.doc.exe
  • Eminem blowjob.jpg.exe
  • Altkins Diet.doc.exe
  • Eminem Poster.jpg.exe
  • American Idol.doc.exe
  • Cloning.doc.exe
  • Saddam Hussein.jpg.exe
  • Arnold Schwarzenegger.jpg.exe
  • Windows 2003 crack.exe
  • Windows XP crack.exe
  • Adobe Photoshop 10 crack.exe
  • Microsoft WinXP Crack full.exe
  • Teen Porn 15.jpg.pif
  • Adobe Premiere 10.exe
  • Adobe Photoshop 10 full.exe
  • Best Matrix Screensaver new.scr
  • Porno Screensaver britney.scr
  • Dark Angels new.pif
  • XXX hardcore pics.jpg.exe
  • Microsoft Office 2003 Crack best.exe
  • Serials edition.txt.exe
  • Screensaver2.scr
  • Full album all.mp3.pif
  • Ahead Nero 8.exe
  • netsky source code.scr
  • E-Book Archive2.rtf.exe
  • Doom 3 release 2.exe
  • How to hack new.doc.exe
  • Learn Programming 2004.doc.exe
  • WinXP eBook newest.doc.exe
  • Win Longhorn re.exe
  • Dictionary English 2004 - France.doc.exe
  • RFC compilation.doc.exe
  • 1001 Sex and more.rtf.exe
  • 3D Studio Max 6 3dsmax.exe
  • Keygen 4 all new.exe
  • Windows 2000 Sourcecode.doc.exe
  • Norton Antivirus 2005 beta.exe
  • Gimp 1.8 Full with Key.exe
  • Partitionsmagic 10 beta.exe
  • Star Office 9.exe
  • Magix Video Deluxe 5 beta.exe
  • Clone DVD 6.exe
  • MS Service Pack 6.exe
  • ACDSee 10.exe
  • Visual Studio Net Crack all.exe
  • Cracks & Warez Archiv.exe
  • WinAmp 13 full.exe
  • DivX 8.0 final.exe
  • Opera 11.exe
  • Internet Explorer 9 setup.exe
  • Smashing the stack full.rtf.exe
  • Ulead Keygen 2004.exe
  • Lightwave 9 Update.exe
  • The Sims 4 beta.exe

Informacje dodatkowe

Robak usuwa z rejestru systemowego nast臋puj膮ce klucze:

[HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun]
Explorer
system
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe

oraz

HKLMSOFTWAREMicrosoftWindows
CurrentVersionRunServices
system
video

a tak偶e nast臋puj膮ce klucze tworzone przez robaka I-Worm.Bagle.

  • HKLMSYSTEMCurrentControlSetServicesWksPatch
  • HKCUSOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerPINF
  • HKCRCLSIDCLSID
    {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
    InProcServer32