-
New Virus. W32/Netsky.b
Heads up people. Block all incomming executables on your mailservers.
I found a new virus. It isn't recognised by McAfee and Sophos (both uptodate).
The attachment is 31Kb in size and is a zip file with different filenames. I've seen names like friend.zip, note.zip, mail2.zip and a few more. The zip file contains a file (again different names) with a double extension (mostly .htm.com).
The subjects I've seen are:
Hi
read it immediately
information
warning
stolen
I've submitted it to WebImmune which found some viral code but didn't recognise it.
As soon as I know more I'll post an update.
-
A bit more info
A'ight. I infected a standalone machine with it.
After you start the file that's inside the zip file you will get a popup
Error!
The file could not be opened!
It will copy itself to %systemroot% (usually c:\winnt or c:\windows) as services.exe.
The Run registrykey is used to make it startup after a reboot.
The key added will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
service: REG_SZ: C:\WINNT\services.exe -serv
It will also drop about 40 zip files with varying names (listed below) and a sizes between 22130 and 22150 bytes. These are probably copies of itself.
I'm not sure but it also looks like it opens 2 tcp ports (2701 & 2702). I could not verify if these actually belonged to the virus as fport.exe doesn't seem to work on this machine.
zip files:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
doc.zip
document.zip
final.zip
found.zip
friend.zip
information.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
-
Thanks for the heads up, Sir!
-
Why does it seem famure to me?
did a number of searches.. nothing.. or isit that I am just tired.. and any virus is like another
thank SD for the Heads up and the extra info..
cheers
-
Reply from WebImmune
Cool. It really was a new one :)
Got a reply from WebImmune. McAfee is calling it W32/NetSky.b.
You can find the info here:
http://vil.nai.com/vil/content/v_101034.htm
-
some differences from the first.. in what is being sent..
http://securityresponse.symantec.com...netsky@mm.html
the start of a new family..
cheers
-
They're all following, Sophos is also updated:
http://www.sophos.com/virusinfo/anal...32netskyb.html
It's good to see they all gave it the same name :D
-
And here is where nihil comes in and says:
http://www.diamondcs.com.au
RegistryProt
All you have to do is "educate" the User to click the "no" button?
and:
http://www.winpatrol.com
Oh well....at least it keeps us in work :)
cheers
-
I'm getting a 500 Internal Server Error.
-
microsoft will ALWAYS keep us in the money.