-
February 18th, 2004, 03:31 PM
#11
Here is a bit more information on Netsky.b from Symantec:
Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute in memory.
Deletes the values:
"Taskmon"
"Explorer"
from the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Deletes the values:
"KasperskyAV"
"System."
from the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Deletes the registry key:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Symantec has it listed as a category 3 outbreak and has posted beta definitions here.
Cheers:
-
February 18th, 2004, 03:56 PM
#12
This thing is moving pretty fast. In the past hour or so i've already blocked more then a hundred.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 04:01 PM
#13
-
February 18th, 2004, 04:56 PM
#14
Here's an interesting characteristic..
We're getting the virus emailed to truncated spam recipient addresses, e.g. if we have some with the email addy fredsmith@megacorp.com who regularly gets spam, then we are picking up email for edsmith@megacorp.com and redsmith@megacorp.com. Looks like a bug in the sending feature, but indicates to me that someone is using spamlists to send out the virus.
-
February 18th, 2004, 05:12 PM
#15
Junior Member
Hi there,
Any signature file for snort yet?
Any signature file for anti virus yet?
Any removal tool yet?
Thanks,
Roach4
-
February 18th, 2004, 05:19 PM
#16
Originally posted here by Roach4
Any signature file for anti virus yet?
McAfee, TrendMicro, Sophos and Symantec all have updated signature files available. Check their websites.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 05:36 PM
#17
Junior Member
Is it just me or...
the last update is february 17 for both liveupdate and intelligent updater...
http://securityresponse.symantec.com.../download.html
Roach4
-
February 18th, 2004, 05:39 PM
#18
I havent actually receveied it yet nor have I really done any research on it but from what I read about it at symantec the attached file always has substring "prod_info" in the beginning so basically you can make a simple snort rule to detect this pattern
alert tcp any any -> any 25 (msg:"skynet.b virus"; content:"prod_info");
that really should cover it, if the virus gets bigger Ill look into making a better rule but really thats all this one requires
That which does not kill me makes me stronger -- Friedrich Nietzche
-
February 18th, 2004, 05:43 PM
#19
As I previously posted, beta definitions can be found here:
http://securityresponse.symantec.com....download.html
Cheers:
-
February 18th, 2004, 06:00 PM
#20
Hey Hey,
Everyone running AVG, if you update to the latest definitions they now include the Netsky variants.
Symantec doesn't make any mention of it open up ports, has anyone else seen evidence of this other than SirDice.. or can you confirm SirDice (perhaps and netstat -aon on the infected machine).... I'm wondering if I should be adding more ports to my res sweeps.
Peace,
HT
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|