Worm - W32.Netsky.B- spreads by email and Windows network! (English Version Only)
Feb 27, 2004
Communnilink has received many reports of this worm from the wild.
Description
"W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it
finds when scanning the hard drives and mapped drives. It use spoofed sender email address send itself out
and the subject, body, and email attachment vary." --- HKCER
When the virus runs, it displays a fake error message of "Error The file could not be opened!"
Then it copies itself to "%Windows%\services.exe" and adds a value to the registry to ensure this copy is
run each time when Windows starts:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service = "%Windows%\services.exe -serv""
W32/Netsky-B |
Alias |
Win32/Netsky.B, W32.Netsky.B@mm, WORM_NETSKY.B, I-Worm.Moodown.b, Worm.SomeFool |
Subject |
hi, hello, read it immediately, something for you, warning, information,
stolen, fake, unknown
|
Body |
Randomly chosen from:
anything ok?, what does it mean?, ok i'm waiting, read the details, here is the document, read it immediately!, my hero, here, is that true?, is that your name?, is that your account?, i wait for a reply!, is that from you?, you are a bad writer, I have your password!, something about you!, kill the writer of this document!, i hope it is not true!, your name is wrong, i found this document about you, yes really?, that is bad, here it is, see you
greetings, stuff about you?, something is going wrong!, information about you, about me, from the chatter, here the serials, here the introduction, here the cheats, that's funny, do you?, reply, take it easy, why?, thats wrong, misc, you earn money, you feel the same, you try to steal, you are bad, something is going wrong, something is fool
|
Attachment |
The attachment name is composed in several parts.
First part: document, msg, doc, talk, message, creditcard, details, attachment, me, stuff, posting, textfile, concert, information, note, bill, swimmingpool, product, topseller, ps, shower, aboutyou, nomoney, found, story, mails, website, friend, jokes, location, final, release, dinner, ranking, object, mail2, part2, disco, party, misc
Second part (or may be omitted): .txt, .rtf, .doc, .htm
Third part: .exe, .scr, .com, .pif
Example: aboutyou.pif, bill.txt.scr
The attachment may also be sent inside a ZIP archive, for example, aboutyou.zip, bill.zip.
|
Details |
Click for Details http://www.sophos.com/virusinfo/analyses/w32netskyb.html |
Payload
Emails all contacts it can find inside the files from all available drive (except CD-ROM drives) with the following extensions:
.msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt, .eml
Solution
New virus definition is available from anti-virus vendors to detect and remove this virus.
If you do not install any anti-virus program, you can download the following removal tools to clean it.
Sophos
http://www.sophos.com/support/disinfection/netskyb.html
Mcafee
http://vil.nai.com/vil/stinger
Symantec
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
Related Link(s)
For more information, please refer to the following websites.
http://www.sophos.com/virusinfo/analyses/w32netskyb.html
http://www3.ca.com/virusinfo/virus.aspx?ID=38332
http://www.hkcert.org/valert/vinfo/[email protected]
News Contact
Service Hotline: (852) 2998 0808
Fax: (852) 29977800
Email: [email protected]
|