-
April 22nd, 2004, 04:24 AM
#1
Member
netsky.y
yay theres another.. wonder if he will stop after his next
Description:
As of April 20, 2004 2:05 PM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of this malware.
This NETSKY variant uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It sends email with the following details:
From: Spoofed email address
Subject: Delivery failure notice (ID-<random letters and numbers>
Message body:
·--- Mail Part Delivered ---
·220 Welcome to [%domain%]
·Mail type: multipart/related
·--- text/html RFC 2504
·MX [Mail Exchanger] mx.mt2.kl.%domain%
·Exim Status OK.
(followed by one of the following)
·New message is available.
·Partial message is available.
·External message is available.
·Delivered message is available.
Attachment:
www.%domain%.%user%.session-%random 8 char%.com
(Note: %user% and %domain% are taken from the obtained target address %user%@%domain%.xxx. %random 8 char% refers to an 8-character randomly generated alphanumeric string.)
It gathers target email addresses from files with certain extension names in all available drives. It also uses the obtained addresses to spoof the From fields of the email messages it sends out.
This worm drops copies of itself in the Windows folder using the following file names:
FirewallSvr.exe (26,112 bytes)– copy of itself
f**k_you_bagle.txt (35,784 bytes) – base64-encoded copy of itself
It may launch a Denial of Service (DoS) attack against the following Web sites on April 28-30, 2004:
www.educa.ch
www.medinfo.ufl.edu
www.nibis.de
It has backdoor capabilities and opens port 82 to receive remote commands.
This worm is compressed using PE Packed and written in Visual C++, a high-level programming language. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Solution:
AUTOMATIC REMOVAL INSTRUCTIONS
To automatically remove this malware from your system, please use the Trend Micro Damage Cleanup Services.
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.
Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_NETSKY.Y. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.
Terminating the Malware Program
This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.
Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file or files detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
*NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
FirewallSvr = "%Windows%\FirewallSvr.exe"
Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Additional Windows ME/XP Cleaning Instructions
Source http://www.trendmicro.com/vinfo/viru...=WORM_NETSKY.Y
Signature image is too tall!
-
April 22nd, 2004, 09:11 AM
#2
Wrong section. This should be in AntiVirus Discussions.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 22nd, 2004, 09:13 AM
#3
Member
Signature image is too tall!
-
April 22nd, 2004, 09:14 AM
#4
my question is what happens after Z? has a virus ever gone this high in variants?
wil will prolly goto double letters....
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
April 22nd, 2004, 09:35 AM
#5
Member
guess what some more good news ^_^
http://www.trendmicro.com/vinfo/viru...=WORM_NETSKY.z
if anyone can get there hands on the txt file or any of the messages netsky is dropping, pm me or post them here please just curious
-
April 22nd, 2004, 10:33 AM
#6
Originally posted here by avenger_jcc
my question is what happens after Z? has a virus ever gone this high in variants?
wil will prolly goto double letters....
Yep. Just look at w32/gaobot at http://vil.nai.com
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|