Worm - W32.Netsky.B- spreads by email and Windows network!


Worm - W32.Netsky.B- spreads by email and Windows network! (English Version Only)

Feb 27, 2004

Communnilink has received many reports of this worm from the wild.

Description

"W32.Netsky.B is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it finds when scanning the hard drives and mapped drives. It use spoofed sender email address send itself out and the subject, body, and email attachment vary." --- HKCER

When the virus runs, it displays a fake error message of "Error The file could not be opened!" Then it copies itself to "%Windows%\services.exe" and adds a value to the registry to ensure this copy is run each time when Windows starts:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service = "%Windows%\services.exe -serv""

W32/Netsky-B
Alias Win32/Netsky.B, W32.Netsky.B@mm, WORM_NETSKY.B,
I-Worm.Moodown.b, Worm.SomeFool
Subject hi, hello, read it immediately, something for you, warning, information,
stolen, fake, unknown
Body Randomly chosen from:
anything ok?, what does it mean?, ok i'm waiting, read the details, here is the document, read it immediately!, my hero, here, is that true?, is that your name?, is that your account?, i wait for a reply!, is that from you?, you are a bad writer, I have your password!, something about you!, kill the writer of this document!, i hope it is not true!, your name is wrong, i found this document about you, yes really?, that is bad, here it is, see you greetings, stuff about you?, something is going wrong!, information about you, about me, from the chatter, here the serials, here the introduction, here the cheats, that's funny, do you?, reply, take it easy, why?, thats wrong, misc, you earn money, you feel the same, you try to steal, you are bad, something is going wrong, something is fool
Attachment The attachment name is composed in several parts.

First part: document, msg, doc, talk, message, creditcard, details, attachment, me, stuff, posting, textfile, concert, information, note, bill, swimmingpool, product, topseller, ps, shower, aboutyou, nomoney, found, story, mails, website, friend, jokes, location, final, release, dinner, ranking, object, mail2, part2, disco, party, misc

Second part (or may be omitted): .txt, .rtf, .doc, .htm

Third part: .exe, .scr, .com, .pif

Example: aboutyou.pif, bill.txt.scr

The attachment may also be sent inside a ZIP archive, for example, aboutyou.zip, bill.zip.

Details Click for Details
http://www.sophos.com/virusinfo/analyses/w32netskyb.html

Payload

Emails all contacts it can find inside the files from all available drive (except CD-ROM drives) with the following extensions:

.msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt, .eml

Solution

New virus definition is available from anti-virus vendors to detect and remove this virus.

If you do not install any anti-virus program, you can download the following removal tools to clean it.

Sophos
http://www.sophos.com/support/disinfection/netskyb.html

Mcafee
http://vil.nai.com/vil/stinger

Symantec
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Related Link(s)

For more information, please refer to the following websites.

http://www.sophos.com/virusinfo/analyses/w32netskyb.html
http://www3.ca.com/virusinfo/virus.aspx?ID=38332
http://www.hkcert.org/valert/vinfo/[email protected]




News Contact

Service Hotline: (852) 2998 0808
Fax: (852) 29977800
Email: [email protected]


最新消息
ACRONIS Backup Solution, ACRONIS 備份方案, Virtual Private Server MyVPS server maintenance, maintenance service Malaysia Server, Singapore Server, USA Server, Taiwan Server, Japan Server, China Server colocation, server colocation, colocation hk, hk datacenter, 伺服器託管, 托管伺服器, 香港數據中心 7x24 hosting, web hosting, hosting hk, cloud hosting, ssd hosting, SSD 網站寄存, Unix Hosting, Windows Hosting dedicated server, Dell 伺服器租用, Dell Server Rental ssd email, cloud email, Email Server Rental, Spam Controller, Global SMTP, Smart Email System, Catch SMTP, Offline Email Backup, Secondary MX Record