-
February 18th, 2004, 11:41 AM
#1
New Virus. W32/Netsky.b
Heads up people. Block all incomming executables on your mailservers.
I found a new virus. It isn't recognised by McAfee and Sophos (both uptodate).
The attachment is 31Kb in size and is a zip file with different filenames. I've seen names like friend.zip, note.zip, mail2.zip and a few more. The zip file contains a file (again different names) with a double extension (mostly .htm.com).
The subjects I've seen are:
Hi
read it immediately
information
warning
stolen
I've submitted it to WebImmune which found some viral code but didn't recognise it.
As soon as I know more I'll post an update.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 01:55 PM
#2
A bit more info
A'ight. I infected a standalone machine with it.
After you start the file that's inside the zip file you will get a popup
Error!
The file could not be opened!
It will copy itself to %systemroot% (usually c:\winnt or c:\windows) as services.exe.
The Run registrykey is used to make it startup after a reboot.
The key added will be:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
service: REG_SZ: C:\WINNT\services.exe -serv
It will also drop about 40 zip files with varying names (listed below) and a sizes between 22130 and 22150 bytes. These are probably copies of itself.
I'm not sure but it also looks like it opens 2 tcp ports (2701 & 2702). I could not verify if these actually belonged to the virus as fport.exe doesn't seem to work on this machine.
zip files:
aboutyou.zip
attachment.zip
bill.zip
concert.zip
creditcard.zip
details.zip
dinner.zip
disco.zip
doc.zip
document.zip
final.zip
found.zip
friend.zip
information.zip
jokes.zip
location.zip
mail2.zip
mails.zip
me.zip
message.zip
misc.zip
msg.zip
nomoney.zip
note.zip
object.zip
part2.zip
party.zip
posting.zip
product.zip
ps.zip
ranking.zip
release.zip
shower.zip
story.zip
stuff.zip
swimmingpool.zip
talk.zip
textfile.zip
topseller.zip
website.zip
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 02:02 PM
#3
Thanks for the heads up, Sir!
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
-
February 18th, 2004, 02:10 PM
#4
Why does it seem famure to me?
did a number of searches.. nothing.. or isit that I am just tired.. and any virus is like another
thank SD for the Heads up and the extra info..
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
February 18th, 2004, 02:11 PM
#5
Reply from WebImmune
Cool. It really was a new one
Got a reply from WebImmune. McAfee is calling it W32/NetSky.b.
You can find the info here:
http://vil.nai.com/vil/content/v_101034.htm
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 02:37 PM
#6
some differences from the first.. in what is being sent..
http://securityresponse.symantec.com...netsky@mm.html
the start of a new family..
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
February 18th, 2004, 03:11 PM
#7
They're all following, Sophos is also updated:
http://www.sophos.com/virusinfo/anal...32netskyb.html
It's good to see they all gave it the same name
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 03:11 PM
#8
And here is where nihil comes in and says:
http://www.diamondcs.com.au
RegistryProt
All you have to do is "educate" the User to click the "no" button?
and:
http://www.winpatrol.com
Oh well....at least it keeps us in work
cheers
-
February 18th, 2004, 03:13 PM
#9
I'm getting a 500 Internal Server Error.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
February 18th, 2004, 03:24 PM
#10
microsoft will ALWAYS keep us in the money.
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|