Virus Alert: NetSky.B - Page 2
Page 2 of 5 FirstFirst 1234 ... LastLast
Results 11 to 20 of 48

Thread: Virus Alert: NetSky.B

  1. #11
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Here is a bit more information on Netsky.b from Symantec:

    Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute in memory.

    Deletes the values:

    "Taskmon"
    "Explorer"

    from the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


    Deletes the values:

    "KasperskyAV"
    "System."

    from the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


    Deletes the registry key:

    HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    Symantec has it listed as a category 3 outbreak and has posted beta definitions here.

    Cheers:
    DjM

  2. #12
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    This thing is moving pretty fast. In the past hour or so i've already blocked more then a hundred.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #13
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Sorry about that folks.....mistyped the link it should be:

    http://www.diamondcs.com.au

    Just been there, look for the products and the free stuff to find Registry Prot.

    Whilst you are there check out the other free utilities..............you can never have too many tools and these guys are good

    No I don't work for them...................too far to swim each day

    Again............sorry
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #14
    Here's an interesting characteristic..

    We're getting the virus emailed to truncated spam recipient addresses, e.g. if we have some with the email addy fredsmith@megacorp.com who regularly gets spam, then we are picking up email for edsmith@megacorp.com and redsmith@megacorp.com. Looks like a bug in the sending feature, but indicates to me that someone is using spamlists to send out the virus.

  5. #15
    Junior Member
    Join Date
    Jan 2004
    Posts
    11
    Hi there,


    Any signature file for snort yet?

    Any signature file for anti virus yet?

    Any removal tool yet?



    Thanks,

    Roach4

  6. #16
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by Roach4
    Any signature file for anti virus yet?
    McAfee, TrendMicro, Sophos and Symantec all have updated signature files available. Check their websites.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #17
    Junior Member
    Join Date
    Jan 2004
    Posts
    11
    Is it just me or...

    the last update is february 17 for both liveupdate and intelligent updater...

    http://securityresponse.symantec.com.../download.html

    Roach4

  8. #18
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    I havent actually receveied it yet nor have I really done any research on it but from what I read about it at symantec the attached file always has substring "prod_info" in the beginning so basically you can make a simple snort rule to detect this pattern

    alert tcp any any -> any 25 (msg:"skynet.b virus"; content:"prod_info");

    that really should cover it, if the virus gets bigger Ill look into making a better rule but really thats all this one requires
    That which does not kill me makes me stronger -- Friedrich Nietzche

  9. #19
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Roach4
    Is it just me or...

    the last update is february 17 for both liveupdate and intelligent updater...

    http://securityresponse.symantec.com.../download.html

    Roach4

    As I previously posted, beta definitions can be found here:

    http://securityresponse.symantec.com....download.html

    Cheers:
    DjM

  10. #20
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Everyone running AVG, if you update to the latest definitions they now include the Netsky variants.

    Symantec doesn't make any mention of it open up ports, has anyone else seen evidence of this other than SirDice.. or can you confirm SirDice (perhaps and netstat -aon on the infected machine).... I'm wondering if I should be adding more ports to my res sweeps.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides