Descrizione breve
Netsky.C (conosciuto anche come Moodown.C) è stato rilevato per
la prima volta il 25 Febbraio 2004. Questa variante è stata migliorata
rispetto alla variante precedente. Moodown.C si diffonde sia per mezzo
diu file ZIP che di eseguibili. Inoltre si copia nelle cartelle scerate
di tutti i drive disponibili
Tool di disinfezione
F-Secure ha rilasciato un Tool di disinfezione.
E' disponibile al dowload ai seguenti link:
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
Istruzioni per l'utilizzo del tool di disinfezione
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt
Tool di disinfezione per amministratori centralizzati
http://www.europe.f-secure.com/tools/f-netsky.jar
ftp://ftp.europe.f-secure.com/anti-virus/tools/f-netsky.jar
Descrizione Dettagliata
Le differenze tra la variante Netsky.C e la precedente sono le seguenti:
1. Il file del worm è compresso con Petite.
2. Il worm non mostra un messaggio di errore quando viene eseguito per
la prima volta.
3. Il worm si installa come WINLOGON.EXE nella directory di sistema e
crea la seguente chiave di avvio nel registro di sistema di windows:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%windir%\winlogon.exe -stealth"
dove %windir% rappresenta la directory di sistema di Windows.
4. Il worm cancella le seguenti chiavi nel registro di configurazione
di Windows:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
msgsvr32
DELETE ME
service
Sentry
Windows Services Host
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
d3dupdate.exe
au.exe
OLE
Windows Services Host
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF]
[HKLM\System\CurrentControlSet\Services\WksPatch]
5. Il worm controlla i files con le seguenti estensioni per collezionare
indirizzi e-mail:
.eml
.txt
.php
.pl
.htm
.html
.vbs
.rtf
.uin
.asp
.wab
.doc
.adb
.tbb
.dbx
.sht
.oft
.msg
.shtm
.cgi
.dhtm
6. Il worm tenta di mandare e-mail ad indirizzi contenenti le seguenti
stringhe:
icrosoft
antivi
ymantec
spam
avp
f-secur
itdefender
orman
cafee
aspersky
f-pro
orton
fbi
abuse
7. Se il worm trova una cartella con nome 'shar', si copia all'interno
con uno dei seguenti nomi:
Microsoft WinXP Crack.exe
Teen Porn 16.jpg.pif
Adobe Premiere 9.exe
Adobe Photoshop 9 full.exe
Best Matrix Screensaver.scr
Porno Screensaver.scr
Dark Angels.pif
XXX hardcore pic.jpg.exe
Microsoft Office 2003 Crack.exe
Serials.txt.exe
Screensaver.scr
Full album.mp3.pif
Ahead Nero 7.exe
Virii Sourcecode.scr
E-Book Archive.rtf.exe
Doom 3 Beta.exe
How to hack.doc.exe
Learn Programming.doc.exe
WinXP eBook.doc.exe
Win Longhorn Beta.exe
Dictionary English - France.doc.exe
RFC Basics Full Edition.doc.exe
1000 Sex and more.rtf.exe
3D Studio Max 3dsmax.exe
Keygen 4 all appz.exe
Windows Sourcecode.doc.exe
Norton Antivirus 2004.exe
Gimp 1.5 Full with Key.exe
Partitionsmagic 9.0.exe
Star Office 8.exe
Magix Video Deluxe 4.exe
Clone DVD 5.exe
MS Service Pack 5.exe
ACDSee 9.exe
Visual Studio Net Crack.exe
Cracks & Warez Archive.exe
WinAmp 12 full.exe
DivX 7.0 final.exe
Opera.exe
IE58.1 full setup.exe
Smashing the stack.rtf.exe
Ulead Keygen.exe
Lightwave SE Update.exe
The Sims 3 crack.exe
8. Il subject del messaggio infetto può essere uno dei seguenti:
Delivery Failed
Status
report
question
trust me
hey
Re: excuse me
read it immediatelly
hi
Re: does it?
Yep
important
hello
ear
Re: unknown
fake?
warning
moin
what's up?
info
Re: information
Here is it
stolen
private?
good morning
illegal...
error
take it
re:
Re: Re: Re: Re:
you?
something for you
exception
Re: hey
excuse me
Re: hi
Re: does it?
Re: important
Re: hello
believe me
Question
denied!
notification
Re: <5664ddff?$??§2>
lol
last chance!
I'm back!
its me
notice!
oh
9. Il corpo del messaggio infetto può essere uno dei seguenti:
<Deliver Error>
<Message Error>
<Server Error>
what means that?
help attached
<...>
ok...
<Attachment from Poland>
that is interesting...
i wait for your comment about it.
such as yours?
read the details.
gonna?
here is the document.
*lol*
read it immediately!
i found that about you!
your hero in the picture?
yours?
here is it.
illegal st. of you?
is that true?
account?
is that your name?
picture?
message?
is that your account?
pwd?
I wait for an answer!
abuse?
is that yours?
you are a bad writer
I don't know your document!
<Mail failed>
I have your password!
you won the rk!
something about you!
classroom test of you?
kill the writer of this document!
old photos about you?
i hope thats not true!
your name is wrong!
does it match?
i found this document about you.
time to fear?
really?
do you know this????
i know your document!
did you sent it to me?
this file is bad!
why should I?
pages?
her.
another pic, have fun! ... :->
test it
child porn?
greetings
xxx ?
stuff about you?
your document is not good
something is going wrong!
your photo is poor
information about you?
the information is wrong!
doc about me?
kill him on the picture!
from the chatter (my photo!)
from your lover ;-)
love letter?
here, the serials
are you a teacherin the picture?
here, the introduction
is that criminal?
here, the cheats
i like your doc!
what do you think about it?
that's a funny text.
that's not the truth?
do you have?
instruct me about this!
i lost that
i am speachless about your document!
is that the reality?
reply
msg
your design is not good!
important?
your TAN number?
take it easy!
why?
you are naked in this document!
thats wrong!
your icq number?
i am desperate
modifications?
your personal record?
yes.
misc. and so on. see you!
your attachment? verify it.
you earn money, see the attachment!
is that your attachment?
is that your website?
you feel the same.
meaning of that?
possible?
you have tried to steal!
did you ask me for that?
you are bad
your job? (I found that!)
is that possible?
something is going ...
something is not ok
did you know from this document?
wrong calculation! (see the attachment!)
never!
poor quality!
good work!
excellent!
great!
i don't think so.
pretty pic about you?
docs?
schoolfriend?
<Warning from the Government>
<09580985869gj>
<?}
i want more...
here is the next one!
attachi#
did you see her already?
is that your wife?
is that your creditcard?
is that your photo?
do you think so?
do you have the bug also?
already?
forgotten?
drugs? ...
does it matter?
i have received this.
best?
the truth?
your body?
your eyes?
your face?
File is self-decryting.
File is damaged.
File is bad.
i saw you last week!
xxx service
your account is expired!
you cannot hide yourself! (see photo)
copyright?
what still?
who?
how?
<bad gateway>
only encrypted!
personal message!
my advice....
i've found it about you
<<<Failure>>>
<Attached Msg>
<scanned by norton antivirus>
great xxx!
man or women?
child or adult?
here is yours!
a crazy doc about you
xxx about you?
i don't want your xxx pics!
<Failed message available>
<Automailer>
doc?
trial?
what?
;-)
i need you!
correct it!
see this!
it's a secret!
this is nothing for kids!
it's so similar as yours!
is that your car?
do not give up!
great job!
here is the $%%454$
you are sexy in this doc!
incest?
let it!
you look like an ape!
you look like an rat?
be mad?
are you cranky?
bob the builder
did you know that?
money?
is that your car?
is this information about you?
is that your privacy?
is that your TAN?
is that your message?
is that your cd?
is that your finger?
your are naked?
is that your porn pic?
is that your work?
is that your family?
is that your beast?
is that your account?
is that your slip?
is that your domain?
are you the naked one?
are you the naked person!
are you the one?
does it belong to you?
do you have sex in the picture?
you have a sexy body in the pic!
your lie is going around the world!
<Transfer complete>
<Antispam complete>
lets talk about it!
do you know the thief?
are you a photographer?
you have done a mistake in the document!
its private from me
do not show this anyone!
new patch is available!
this is an attachment message!
in your mind?
Microsoft
fast food...
Your bill.
try this patch!
do you have an orgasm in the picture?
<Click the attachment to decrypt>
<Attachment Signature 34933920>
Transaction failed. Show the doc!
I 've found your bill!
see your name!
You are infected. Read the details!
here is my advice.
here is my photo!
here is the <censored>
feel free to use it.
does it belong to you?
Login required! Read the attachment!
your document is silly!
is the pic a fake?
Antispam is turned off. See file!
Authentification required. Read the attachment
solve the problem!
<null>
do not use my document!
do not open the attachment!
do not visit the pages on the list I sent!
explain!
tell me more about your document!
Your provider will be disabled!
Instant patches.
10. Il nome dell'allegato alla mail infetta viene scelto casualmente
tra i seguenti:
document
associal
msg
yours
doc
wife
talk
message
response
creditcard
description
details
attachment
pic
me
trash
card
stuff
poster
posting
portmoney
textfile
moonlight
concert
sexy
information
news
note
number_phone
bill
mydate
swimmingpool
class_photos
product
old_photos
topseller
ps
important
shower
myaunt
aboutyou
yours
nomoney
birth
found
death
story
worker
mails
letter
more
website
regards
regid
friend
unfolds
jokes
doc_ang
your_stuff
location
454543403
final
schock
release
webcam
dinner
intimate stuff
sexual
ranking
object
secrets
mail2
attach2
part2
msg2
disco
freaky
visa
party
material
misc
nothing
transfer
auction
warez
undefinied
violence
update
masturbation
injection
naked1
naked2
tear
music
paypal
id
privacy
word_doc
image
incest
Il worm può comporre il nome del messaggio utilizzando una combinazione
delle stringhe precedentemente elencate.
Come nella variante precedente, il worm può usare una o due estensioni
per il suo allegato. Come prima estensione sceglie una delle seguenti:
.txt
.rtf
.doc
.htm
Come seconda estensioni viene utilizzata una di queste:
.exe
.scr
.com
.pif
Il worm si diffonde per mezzo di mail come allegato ZIP od eseguibile.
Il file del worm è allegato alla mail infetta all'interno di uno
ZIP oppure come un normale file binario. L'utente, per infettarsi, deve
decomprimere l'allegato della mail oppure lanciare l'eseguibile.
Rilevazione
F-Secure Anti-Virus per Windows rileva NetSky.B con gli aggiornamenti
pubblicati il 25 Febbraio 2004:
[FSAV_Database_Version]
Version=2004-02-25_02
Descrizione: Alexey Podrezov 25 Febbraio 2004;
F-Secure Corporation
|
