Email-Worm.Win32.NetSky.q
Robak kopiuje si臋 z nazw膮 fvprotect.exe do folderu Windows i tworzy w rejestrze systemowym klucz auto-run:
"Norton Antivirus AV" = %Folder Windowsfvprotect.exe
Dodatkowo robak tworzy w folderze Windows nast臋puj膮ce pliki:
- userconfig9x.dll
- zipped.tmp
- base64.tmp
- zip1.tmp
- zip2.tmp
- zip3.tmp
S膮 to kopie robaka w formacie UEE oraz archiwa ZIP zawieraj膮ce jego kod. Wewn膮trz archiw贸w mog膮 by膰 zapisane nast臋puj膮ce pliki:
- document.txt.exe
- data.rtf.scr
- details.txt.pif
W celu oznaczenia zainfekowanego komputera robak tworzy w pami臋ci unikatowy identyfikator
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_.
Adresy ofiar pobierane s膮 z plik贸w posiadaj膮cych nast臋puj膮ce rozszerzenia:
- EML
- TXT
- PHP
- ASP
- WAB
- DOC
- VBS
- RTF
- UIN
- SHTM
- CGI
- DHTM
- PL
- HTM
- HTML
- ADB
- TBB
- DBX
- SHT
- OFT
- MSG
- JSP
- WSH
- XML
Robak wysy艂a zainfekowane wiadomo艣ci e-mail przy u偶yciu w艂asnego silnika SMTP, a tak偶e podejmuje pr贸b臋 nawi膮zania bezpo艣redniego po艂膮czenia z serwerem odbiorcy.
- Adres nadawcy - wybierany losowo spo艣r贸d znalezionych w zainfekowanym systemie
- Temat:
Re: Hi Re: Hello Re: Encrypted Mail Re: Extended Mail Re: Status Re: Notify Re: SMTP Server Re: Mail Server Re: Delivery Server Re: Request Re: Bad Request Re: Failure Re: Thank you for delivery Re: Test Re: Administration Re: Message Error Re: Error Re: Extended Mail System Re: Secure SMTP Message Re: Protected Mail Request Re: Protected Mail System Re: Protected Mail Delivery Re: Secure delivery Re: Delivery Protection Re: Mail Authentification Re: List Re: Question Re: Proof of concept Re: Developement Re: Message Re: Error in document Re: Free porn Re: Sex pictures Re: Submit a Virus Sample Re: Virus Sample Re: Old times Re: Old photos Re: Sample Re: Its me Re: Is that your document? Re: Approved document Re: Your document Protected Mail System Mail Authentication Is that your password? Private document Stolen document Mail Account Administrator Illegal Website Internet Provider Abuse Thank you! Congratulations! Postcard Your day Mail Delivery Error Shocking document You cannot do that! hi hello Fwd: Warning again Notice again Spamed? Spam 0i09u5rug08r89589gjrg Re: A!p$ghsa Important m$6h?3p Do you? Does it matter? News Information I love you! I cannot forget you! here your my thanks! approved corrected patched improved important read it immediately
robak tworzy tak偶e wiadomo艣ci posiadaj膮ce losowy temat.
- Tre艣膰:
Please see the attached file for details Please read the attached file! Your document is attached. Please read the document. Your file is attached. Your document is attached. Please confirm the document. Please read the important document. See the file. Requested file. Authentication required. Your document is attached to this mail. I have attached your document. I have received your document. The corrected document is attached. Your document. Your details. Please confirm! Please answer quickly! Thank you for your request, your details are attached! Thanks! am shocked about your document! Let'us be short: you have no experience in writing letters!!! Try this, or nothing! Here is it! Do not visit this illegal websites! You have downloaded these illegal cracks? Here is my icq list. Here is my phone number. I have visited this website and I found you in the spammer list. Is that true? Are you a spammer? (I found your email on a spammer website!?!) po44u90ugjid-k9z5894z0 9u049u89gh89fsdpokofkdpbm3-4i Please r564g!he4a56a3haafdogu#mfn3o SMTP Error #201 See the ghg5%&6gfz65!4Hf55d!46gfgf Server Error #203 Your photo, uahhh.... , you are naked! You have written a very good text, excellent, good work! Your archive is attached. Monthly news report. lovely, :-) your big love, ;-) I hope you accept the result! The sample is attached! Your important document, correction is finished! Important message, do not show this anyone! Here is the website. ;-) My favourite page. I have corrected your document. I have attached the sample. Your bill is attached to this mail. You were registered to the pay system. For more details see the attachment. Binary message is available. Message has been sent as a binary attachment. Can you confirm it? I have attached it to this mail. Please read the attached file. Your document is attached. Encrypted message is available. Protected message is attached. Please confirm my request. ESMTP [Secure Mail System #334]: Secure message is attached. Partial message is available. Waiting for a Response. Please read the attachment. First part of the secure mail is available. For more details see the attachment. For further details see the attachment. Your requested mail has been attached. Protected Mail System Test. Secure Mail System Beta Test. Forwarded message is available. Delivered message is attached. Encrypted message is available. Please read the attachment to get the message. Follow the instructions to read the message. Please authenticate the secure message. Protected message is attached. Waiting for authentification. Protected message is available. Bad Gateway: The message has been attached. SMTP: Please confirm the attached message. You got a new message. Now a new message is available. New message is available. You have received an extended message. Please read the instructions. I noticed that you have visited illegal websites. See the name in the list! You have visited illegal websites. I have a big list of the websites you surfed. Your mail account is expired. See the details to reactivate it. Your mail account has been closed. For further details see the document. The file is protected with the password ghj001. I have attached your file. Your password is jkl44563. The sample file you sent contains a new virus version of mydoom.j. Please clean your system with the attached signature. Sincerly, Robert Ferrew Greetings from france, your friend. Have a look at these. Best wishes, your friend. Congratulations!, your best friend. I found this document about you. I cannot believe that. Try this game ;-) I hope the patch works.
Ko艅cowa cz臋艣膰 tre艣ci wiadomo艣ci mo偶e zawiera膰 fa艂szyw膮 informacj臋 potwierdzaj膮c膮, 偶e e-mail zosta艂 przetestowany przez program antywirusowy:
+++ Attachment: No Virus found +++ MessageLabs AntiVirus - www.messagelabs.com +++ Attachment: No Virus found +++ Bitdefender AntiVirus - www.bitdefender.com +++ Attachment: No Virus found +++ MC-Afee AntiVirus - www.mcafee.com +++ Attachment: No Virus found +++ Kaspersky AntiVirus - www.kaspersky.com +++ Attachment: No Virus found +++ Panda AntiVirus - www.pandasoftware.com +++ Attachment: No Virus found ++++ Norman AntiVirus - www.norman.com ++++ Attachment: No Virus found ++++ F-Secure AntiVirus - www.f-secure.com ++++ Attachment: No Virus found ++++ Norton AntiVirus - www.symantec.de
- Za艂膮czniki cz臋sto posiadaj膮 podw贸jne rozszerzenie. Pierwsze to DOC lub TXT, natomiast drugie jest wybierane z poni偶szej listy:
- EXE
- PIF
- SCR
- ZIP
Robak mo偶e r贸wnie偶 za艂膮cza膰 do wiadomo艣ci archiwa ZIP.
Szkodnik nie wysy艂a swoich kopii pod adresy zawieraj膮ce nast臋puj膮ce teksty:
@antivi @avp @bitdefender @fbi @f-pro @freeav @f-secur @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@
W pewnych okoliczno艣ciach robak wykorzystuje w swoich wiadomo艣膰iach luk臋 IFRAME. W takim wypadku je偶eli u偶ytkownik nie zaistalowa艂 odpowiedniej 艂aty udost臋pnionej przez firm臋 Microsoft, uruchomienie zainfekowanego za艂acznika nast膮pi automatycznie podczas przegl膮dania wiadomo艣ci.
Robak umieszcza swoje kopie w folderach, kt贸rych nazwy zawieraj膮 poni偶sze teksty:
- bear
- donkey
- download
- ftp
- htdocs
- http
- icq
- kazaa
- lime
- morpheus
- mule
- my shared folder
- shar
- shared files
- upload
Kopie robaka mog膮 posiada膰 nast臋puj膮ce nazwy:
- Kazaa Lite 4.0 new.exe
- Britney Spears Sexy archive.doc.exe
- Kazaa new.exe
- Britney Spears porn.jpg.exe
- Harry Potter all e.book.doc.exe
- Britney sex xxx.jpg.exe
- Harry Potter 1-6 book.txt.exe
- Britney Spears blowjob.jpg.exe
- Harry Potter e book.doc.exe
- Britney Spears cumshot.jpg.exe
- Harry Potter.doc.exe
- Britney Spears fuck.jpg.exe
- Harry Potter game.exe
- Britney Spears.jpg.exe
- Harry Potter 5.mpg.exe
- Britney Spears and Eminem porn.jpg.exe
- Matrix.mpg.exe
- Britney Spears Song text archive.doc.exe
- Britney Spears full album.mp3.exe
- Eminem.mp3.exe
- Britney Spears.mp3.exe
- Eminem Song text archive.doc.exe
- Eminem Sexy archive.doc.exe
- Eminem full album.mp3.exe
- Eminem Spears porn.jpg.exe
- Ringtones.mp3.exe
- Eminem sex xxx.jpg.exe
- Ringtones.doc.exe
- Eminem blowjob.jpg.exe
- Altkins Diet.doc.exe
- Eminem Poster.jpg.exe
- American Idol.doc.exe
- Cloning.doc.exe
- Saddam Hussein.jpg.exe
- Arnold Schwarzenegger.jpg.exe
- Windows 2003 crack.exe
- Windows XP crack.exe
- Adobe Photoshop 10 crack.exe
- Microsoft WinXP Crack full.exe
- Teen Porn 15.jpg.pif
- Adobe Premiere 10.exe
- Adobe Photoshop 10 full.exe
- Best Matrix Screensaver new.scr
- Porno Screensaver britney.scr
- Dark Angels new.pif
- XXX hardcore pics.jpg.exe
- Microsoft Office 2003 Crack best.exe
- Serials edition.txt.exe
- Screensaver2.scr
- Full album all.mp3.pif
- Ahead Nero 8.exe
- netsky source code.scr
- E-Book Archive2.rtf.exe
- Doom 3 release 2.exe
- How to hack new.doc.exe
- Learn Programming 2004.doc.exe
- WinXP eBook newest.doc.exe
- Win Longhorn re.exe
- Dictionary English 2004 - France.doc.exe
- RFC compilation.doc.exe
- 1001 Sex and more.rtf.exe
- 3D Studio Max 6 3dsmax.exe
- Keygen 4 all new.exe
- Windows 2000 Sourcecode.doc.exe
- Norton Antivirus 2005 beta.exe
- Gimp 1.8 Full with Key.exe
- Partitionsmagic 10 beta.exe
- Star Office 9.exe
- Magix Video Deluxe 5 beta.exe
- Clone DVD 6.exe
- MS Service Pack 6.exe
- ACDSee 10.exe
- Visual Studio Net Crack all.exe
- Cracks & Warez Archiv.exe
- WinAmp 13 full.exe
- DivX 8.0 final.exe
- Opera 11.exe
- Internet Explorer 9 setup.exe
- Smashing the stack full.rtf.exe
- Ulead Keygen 2004.exe
- Lightwave 9 Update.exe
- The Sims 4 beta.exe
Robak usuwa z rejestru systemowego nast臋puj膮ce klucze:
Explorer
system
msgsvr32
winupd.exe
direct.exe
jijbl
service
Sentry
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe
oraz
CurrentVersionRunServices
system
video
a tak偶e nast臋puj膮ce klucze tworzone przez robaka
- HKLMSYSTEMCurrentControlSetServicesWksPatch
- HKCUSOFTWAREMicrosoftWindowsCurrentVersion
ExplorerPINF - HKCRCLSIDCLSID
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}
InProcServer32