Virus Alert: NetSky.B
Page 1 of 5 123 ... LastLast
Results 1 to 10 of 48

Thread: Virus Alert: NetSky.B

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    New Virus. W32/Netsky.b

    Heads up people. Block all incomming executables on your mailservers.

    I found a new virus. It isn't recognised by McAfee and Sophos (both uptodate).

    The attachment is 31Kb in size and is a zip file with different filenames. I've seen names like friend.zip, note.zip, mail2.zip and a few more. The zip file contains a file (again different names) with a double extension (mostly .htm.com).

    The subjects I've seen are:
    Hi
    read it immediately
    information
    warning
    stolen

    I've submitted it to WebImmune which found some viral code but didn't recognise it.

    As soon as I know more I'll post an update.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    A bit more info

    A'ight. I infected a standalone machine with it.

    After you start the file that's inside the zip file you will get a popup

    Error!
    The file could not be opened!

    It will copy itself to %systemroot% (usually c:\winnt or c:\windows) as services.exe.
    The Run registrykey is used to make it startup after a reboot.

    The key added will be:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    service: REG_SZ: C:\WINNT\services.exe -serv

    It will also drop about 40 zip files with varying names (listed below) and a sizes between 22130 and 22150 bytes. These are probably copies of itself.

    I'm not sure but it also looks like it opens 2 tcp ports (2701 & 2702). I could not verify if these actually belonged to the virus as fport.exe doesn't seem to work on this machine.

    zip files:
    aboutyou.zip
    attachment.zip
    bill.zip
    concert.zip
    creditcard.zip
    details.zip
    dinner.zip
    disco.zip
    doc.zip
    document.zip
    final.zip
    found.zip
    friend.zip
    information.zip
    jokes.zip
    location.zip
    mail2.zip
    mails.zip
    me.zip
    message.zip
    misc.zip
    msg.zip
    nomoney.zip
    note.zip
    object.zip
    part2.zip
    party.zip
    posting.zip
    product.zip
    ps.zip
    ranking.zip
    release.zip
    shower.zip
    story.zip
    stuff.zip
    swimmingpool.zip
    talk.zip
    textfile.zip
    topseller.zip
    website.zip
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Thanks for the heads up, Sir!
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Why does it seem famure to me?

    did a number of searches.. nothing.. or isit that I am just tired.. and any virus is like another

    thank SD for the Heads up and the extra info..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Reply from WebImmune

    Cool. It really was a new one

    Got a reply from WebImmune. McAfee is calling it W32/NetSky.b.

    You can find the info here:
    http://vil.nai.com/vil/content/v_101034.htm
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    some differences from the first.. in what is being sent..

    http://securityresponse.symantec.com...netsky@mm.html

    the start of a new family..


    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    They're all following, Sophos is also updated:

    http://www.sophos.com/virusinfo/anal...32netskyb.html

    It's good to see they all gave it the same name
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    And here is where nihil comes in and says:

    http://www.diamondcs.com.au

    RegistryProt

    All you have to do is "educate" the User to click the "no" button?

    and:

    http://www.winpatrol.com

    Oh well....at least it keeps us in work

    cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by nihil
    And here is where nihil comes in and says:

    http://www.diamoncs.au.com

    I'm getting a 500 Internal Server Error.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    microsoft will ALWAYS keep us in the money.
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides