Results 1 to 6 of 6

Thread: netsky.y

  1. #1

    netsky.y

    yay theres another.. wonder if he will stop after his next

    Description:



    As of April 20, 2004 2:05 PM PST, TrendLabs has declared a Medium Risk Virus Alert to control the spread of this malware.

    This NETSKY variant uses its own Simple Mail Transfer Protocol (SMTP) engine to propagate via email. It sends email with the following details:

    From: Spoofed email address

    Subject: Delivery failure notice (ID-<random letters and numbers&gt

    Message body:
    ·--- Mail Part Delivered ---
    ·220 Welcome to [%domain%]
    ·Mail type: multipart/related
    ·--- text/html RFC 2504
    ·MX [Mail Exchanger] mx.mt2.kl.%domain%
    ·Exim Status OK.

    (followed by one of the following)
    ·New message is available.
    ·Partial message is available.
    ·External message is available.
    ·Delivered message is available.

    Attachment:
    www.%domain%.%user%.session-%random 8 char%.com

    (Note: %user% and %domain% are taken from the obtained target address %user%@%domain%.xxx. %random 8 char% refers to an 8-character randomly generated alphanumeric string.)

    It gathers target email addresses from files with certain extension names in all available drives. It also uses the obtained addresses to spoof the From fields of the email messages it sends out.

    This worm drops copies of itself in the Windows folder using the following file names:

    FirewallSvr.exe (26,112 bytes)– copy of itself
    f**k_you_bagle.txt (35,784 bytes) – base64-encoded copy of itself
    It may launch a Denial of Service (DoS) attack against the following Web sites on April 28-30, 2004:

    www.educa.ch
    www.medinfo.ufl.edu
    www.nibis.de
    It has backdoor capabilities and opens port 82 to receive remote commands.

    This worm is compressed using PE Packed and written in Visual C++, a high-level programming language. It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Solution:



    AUTOMATIC REMOVAL INSTRUCTIONS

    To automatically remove this malware from your system, please use the Trend Micro Damage Cleanup Services.

    MANUAL REMOVAL INSTRUCTIONS

    Identifying the Malware Program

    Before proceeding to remove this malware, first identify the malware program.

    Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_NETSKY.Y. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.

    Terminating the Malware Program

    This procedure terminates the running malware process from memory. You will need the name(s) of the file(s) detected earlier.

    Open Windows Task Manager.
    On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE
    On Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, then click the Processes tab.
    In the list of running programs*, locate the malware file or files detected earlier.
    Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
    Do the same for all detected malware files in the list of running processes.
    To check if the malware process has been terminated, close Task Manager, and then open it again.
    Close Task Manager.
    *NOTE: On systems running Windows 95/98/ME, Task Manager may not show certain processes. You may use a third party process viewer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing during startup.

    Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
    In the right panel, locate and delete the entry:
    FirewallSvr = "%Windows%\FirewallSvr.exe"
    Note: %Windows% is the default Windows folder, usually C:\Windows or C:\WINNT.
    Close Registry Editor.
    NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
    Additional Windows ME/XP Cleaning Instructions


    Source http://www.trendmicro.com/vinfo/viru...=WORM_NETSKY.Y
    Signature image is too tall!

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Wrong section. This should be in AntiVirus Discussions.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    woops sorry
    Signature image is too tall!

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    518
    my question is what happens after Z? has a virus ever gone this high in variants?
    wil will prolly goto double letters....
    Remember -
    The ark was built by amatures...
    The Titanic was built by professionals.

  5. #5
    guess what some more good news ^_^
    http://www.trendmicro.com/vinfo/viru...=WORM_NETSKY.z

    if anyone can get there hands on the txt file or any of the messages netsky is dropping, pm me or post them here please just curious

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by avenger_jcc
    my question is what happens after Z? has a virus ever gone this high in variants?
    wil will prolly goto double letters....
    Yep. Just look at w32/gaobot at http://vil.nai.com
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •