Virus Alert: NetSky.B

[DjM]

Here is a bit more information on Netsky.b from Symantec:

Creates a mutex named "AdmSkynetJKIS003." This mutex allows only one instance of the worm to execute in memory.

Deletes the values:

"Taskmon"
"Explorer"

from the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices


Deletes the values:

"KasperskyAV"
"System."

from the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Deletes the registry key:

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32

Symantec has it listed as a category 3 outbreak and has posted beta definitions here.

Cheers:

[SirDice]

This thing is moving pretty fast. In the past hour or so i've already blocked more then a hundred.

[nihil]

Sorry about that folks.....mistyped the link it should be:

http://www.diamondcs.com.au

Just been there, look for the products and the free stuff to find Registry Prot.

Whilst you are there check out the other free utilities..............you can never have too many tools and these guys are good

No I don't work for them...................too far to swim each day

Again............sorry

[dynamoo]

Here's an interesting characteristic..

We're getting the virus emailed to truncated spam recipient addresses, e.g. if we have some with the email addy fredsmith@megacorp.com who regularly gets spam, then we are picking up email for edsmith@megacorp.com and redsmith@megacorp.com. Looks like a bug in the sending feature, but indicates to me that someone is using spamlists to send out the virus.

[Roach4]

Hi there,


Any signature file for snort yet?

Any signature file for anti virus yet?

Any removal tool yet?



Thanks,

Roach4

[SirDice]

Originally posted here by Roach4
Any signature file for anti virus yet?

McAfee, TrendMicro, Sophos and Symantec all have updated signature files available. Check their websites.

[Roach4]

Is it just me or...

the last update is february 17 for both liveupdate and intelligent updater...

http://securityresponse.symantec.com.../download.html

Roach4

[S3cur|ty4ng31]

I havent actually receveied it yet nor have I really done any research on it but from what I read about it at symantec the attached file always has substring "prod_info" in the beginning so basically you can make a simple snort rule to detect this pattern

alert tcp any any -> any 25 (msg:"skynet.b virus"; content:"prod_info");

that really should cover it, if the virus gets bigger Ill look into making a better rule but really thats all this one requires

[DjM]

Originally posted here by Roach4
Is it just me or...

the last update is february 17 for both liveupdate and intelligent updater...

http://securityresponse.symantec.com.../download.html

Roach4

As I previously posted, beta definitions can be found here:

http://securityresponse.symantec.com....download.html

Cheers:

[HTRegz]

Hey Hey,

Everyone running AVG, if you update to the latest definitions they now include the Netsky variants.

Symantec doesn't make any mention of it open up ports, has anyone else seen evidence of this other than SirDice.. or can you confirm SirDice (perhaps and netstat -aon on the infected machine).... I'm wondering if I should be adding more ports to my res sweeps.

Peace,
HT