Nombre de virus: W32/NetSky.c@MM
Alias conocidos: I-Worm/Netsky.C
Riesgo Infección: Medio (Bajo, Medio, Alto, Muy Alto)
Propagación: Por correo electrónico, unidades mapeadas y peer-to-peer
Activación: Por ejecución de fichero ejecutable .EXE, .PIF, .SCR
Detección: desde DATS 4328
Motor necesario: desde 4.2.60
Infección actual: Media (Inicial, Media, Elevada)

Este virus se propaga a través de correo electrónico y unidades mapeadas. Se envía a todas las direcciones que encuentra en el equipo infectado, haciendo una copia de sí mismo a carpetas en unidades C: - Z:. También intenta desactivar los virus W32/Mydoom.a@MM y W32/Mydoom.b@MM .

• <...>
• *lol*
• ;-)
• <09580985869gj>
• a crazy doc about you
• abuse?
• account?
• already?
• another pic, have fun! ... :->
• Antispam is turned off. See file!
• are you a photographer?
• are you a teacherin the picture?
• are you cranky?
• are you the naked one?
• are you the naked person!
• are you the one?
• attachi#
• Authentification required. Read the attachment!
• be mad?
• believe me
• best?
• bob the builder
• child or adult?
• child porn?
• classroom test of you?
• copyright?
• correct it!
• dear
• Delivery Failed
• denied!
• did you ask me for that?
• did you know from this document?
• did you know that?
• did you see her already?
• did you sent it to me?
• do not give up!
• do not open the attachment!
• do not show this anyone!
• do not use my document!
• do not use this creditcard!
• do not visit the pages on the list I sent!
• do you have an orgasm in the picture?
• do you have sex in the picture?
• do you have the bug also?
• do you have?
• do you know the thief?
• do you know this????
• do you think so?
• doc about me?
• doc?
• docs?
• does it belong to you?
• does it match?
• does it matter?
• drugs? ...
• error
• excellent!
• exception
• excuse me
• explain!
• fake?
• fast food...
• feel free to use it.
• File is bad.
• File is damaged.
• File is self-decryting.
• forgotten?
• from the chatter (my photo!)
• from your lover ;-)
• gonna?
• good morning
• good work!
• great job!
• great xxx!
• great!
• greetings
• hello
• help attached
• her.
• here is it.
• Here is it
• here is my advice.
• here is my photo!
• here is the $%%454$
• here is the
• here is the document.
• here is the next one!
• here is yours!
• here, the cheats
• here, the introduction
• here, the serials
• hey
• hi
• how?
• i am desperate
• i am speachless about your document!
• I don't know your document!
• i don't think so.
• i don't want your xxx pics!
• i found that about you!
• i found this document about you.
• i have received this.
• I have your password!
• i hope thats not true!
• i know your document!
• i like your doc!
• i lost that
• i need you!
• i saw you last week!
• I 've found your bill!
• I wait for an answer!
• i wait for your comment about it.
• i want more...
• illegal st. of you?
• illegal...
• I'm back!
• important?
• important
• in your mind?
• incest?
• info
• information about you?
• instruct me about this!
• is that criminal?
• is that possible?
• is that the reality?
• is that true?
• is that your account?
• is that your attachment?
• is that your beast?
• is that your car?
• is that your cd?
• is that your creditcard?
• is that your domain?
• is that your family?
• is that your finger?
• is that your message?
• is that your name?
• is that your photo?
• is that your porn pic?
• is that your privacy?
• is that your slip?
• is that your TAN?
• is that your website?
• is that your wife?
• is that your work?
• is that yours?
• is the pic a fake?
• is this information about you?
• it's a secret!
• its me
• its private from me
• it's so similar as yours!
• i've found it about you
• kill him on the picture!
• kill the writer of this document!
• last chance!
• let it!
• lets talk about it!
• Login required! Read the attachment!
• lol
• love letter?
• man or women?
• meaning of that?
• message?
• Microsoft
• misc. and so on. see you!
• modifications?
• moin
• money?
• msg
• my advice....
• never!
• new patch is available!
• notice!
• notification
• oh
• ok...
• old photos about you?
• only encrypted!
• pages?
• personal message!
• picture?
• poor quality!
• possible?
• pretty pic about you?
• private?
• pwd?
• Question
• question
• Re: <5664ddff?$??§2>
• Re: does it?
• Re: excuse me
• Re: hello
• Re: hey
• Re: hi
• Re: important
• Re: information
• Re: Re: Re: Re:
• Re: unknown
• re:
• read it immediatelly
• read it immediately!
• read the details.
• really?
• reply
• report
• schoolfriend?
• see this!
• see your name!
• solve the problem!
• something about you!
• something for you
• something is going ...
• something is going wrong!
• something is not ok
• Status
• stolen
• stuff about you?
• such as yours?
• take it easy!
• take it
• tell me more about your document!
• test it
• that is interesting...
• that's a funny text.
• that's not the truth?
• thats wrong!
• the information is wrong!
• the truth?
• this file is bad!
• this is an attachment message!
• this is nothing for kids!
• time to fear?
• Transaction failed. Show the doc!
• trial?
• trust me
• try this patch!
• warning
• what do you think about it?
• what means that?
• what still?
• what?
• what's up?
• who?
• why should I?
• why?
• wrong calculation! (see the attachment!)
• xxx ?
• xxx about you?
• xxx service
• Yep
• yes.
• you are a bad writer
• you are bad
• You are infected. Read the details!
• you are naked in this document!
• you are sexy in this doc!
• you cannot hide yourself! (see photo)
• you earn money, see the attachment!
• you feel the same.
• you have a sexy body in the pic!
• you have done a mistake in the document!
• you have tried to steal!
• you look like an ape!
• you look like an rat?
• you won the rk!
• you?
• your account is expired!
• your are naked?
• your attachment? verify it.
• your bill.
• your body?
• your design is not good!
• your document is not good
• your document is silly!
• your eyes?
• your face?
• your hero in the picture?
• your icq number?
• your job? (I found that!)
• your lie is going around the world!
• your name is wrong!
• your personal record?
• your photo is poor
• Your provider will be disabled!
• your TAN number?
• yours?

• 454543403
• aboutyou
• associal
• attach2
• auction
• transfer
• bill
• birth
• card
• concert
• moonlight
• death
• details
• description
• creditcard
• dinner
• disco
• doc
• yours
• doc_ang
• jokes
• document
• final
• found
• freaky
• image
• incest
• information
• sexy
• injection
• intimate stuff
• letter
• location
• mail2
• mails
• masturbation
• material
• me
• message
• talk
• msg2
• music
• myaunt
• mydate
• naked1
• naked2
• news
• nomoney
• note
• nothing
• misc
• number_phone
• object
• old_photos
• part2
• party
• paypal
• pic
• attachment
• portmoney
• posting
• poster
• privacy
• id
• product
• class_photos
• ps
• ranking
• regards
• website
• more
• regid
• release
• response
• schock
• secrets
• sexual
• shower
• story
• stuff
• swimmingpool
• tear
• textfile
• topseller
• trash
• undefinied
• unfolds
• friend
• update
• violence
• visa
• warez
• webcam
• wife
• word_doc
• worker
• your_stuff

• .doc
• .htm
• .rtf
• .text

• .com
• .exe
• .pif
• .scr

• .adb
• .asp
• .cgi
• .dbx
• .dhtm
• .doc
• .eml
• .htm
• .oft
• .php
• .pl
• .rtf
• .sht
• .shtm
• .msg
• .tbb
• .txt
• .uin
• .vbs
• .wab

• abuse
• fbi
• orton
• f-pro
• aspersky
• cafee
• orman
• itdefender
• f-secur
• avp
• spam
• ymantec
• antivi
• icrosoft

El virus utiliza su propio motor SMTP para enviarse.

Cambios en el Sistema

El gusano se copia en la carpeta %WinDir% (p.e. C:\WINDOWS) utilizando el nombre WINLOGON.EXE.

· C:\WINNT\WINLOGON.EXE (25,353 bytes)

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
"ICQ Net" = %WinDir%\WINLOGON.EXE -stealth

 

• 1000 Sex and more.rtf.exe
• 3D Studio Max 3dsmax.exe
• Adobe Photoshop 9 full.exe
• Adobe Premiere 9.exe
• Ahead Nero 7.exe
• Best Matrix Screensaver.scr
• Clone DVD 5.exe Magix Video Deluxe 4.exe
• Cracks & Warez Archive.exe
• Dark Angels.pif
• Dictionary English - France.doc.exe
• DivX 7.0 final.exe
• E-Book Archive.rtf.exe
• Full album.mp3.pif
• Gimp 1.5 Full with Key.exe
• How to hack.doc.exe Doom 3 Beta.exe
• IE58.1 full setup.exe
• Keygen 4 all appz.exe
• Lightwave SE Update.exe
• MS Service Pack 5.exe
• Microsoft Office 2003 Crack.exe
• Microsoft WinXP Crack.exe
• Norton Antivirus 2004.exe
• Opera.exe
• Partitionsmagic 9.0.exe
• Porno Screensaver.scr
• RFC Basics Full Edition.doc.exe
• Screensaver.scr
• Serials.txt.exe
• Smashing the stack.rtf.exe
• Star Office 8.exe
• Teen Porn 16.jpg.pif
• The Sims 3 crack.exe
• Ulead Keygen.exe
• Virii Sourcecode.scr
• Visual Studio Net Crack.exe ACDSee 9.exe
• Win Longhorn Beta.exe
• WinAmp 12 full.exe
• WinXP eBook.doc.exe Learn Programming.doc.exe
• Windows Sourcecode.doc.exe
• XXX hardcore pic.jpg.exe

Síntomas

• Payload de audio - El 26 de Febrero, entre 6-9am, el gusano emite sonidos aleatorios, con ritmos y tonos variados.
  Muestra del sonido.
• Presencia de ficheros y claves de registro según mencionamos arriba
• Tráfico de red inesperado
• Solicitudes DNS salientes a una de las siguientes direcciones IP:

o 145.253.2.171

o 151.189.13.35

o 193.141.40.42

o 193.189.244.205

o 193.193.144.12

o 193.193.158.10

o 194.25.2.129

o 194.25.2.130

o 194.25.2.131

o 194.25.2.132

o 194.25.2.133

o 194.25.2.134

o 195.185.185.195

o 195.20.224.234

o 212.185.252.136

o 212.185.252.73

o 212.185.253.70

o 212.44.160.8

o 212.7.128.162

o 212.7.128.165

o 213.191.74.19

o 217.5.97.137

o 62.155.255.16

 

Detección y eliminación

El gusano se controla desde los DAT 4328 , para su eliminación se recomienda ejecutar nuestra utilidad ELINETSA.

SATINFO, VIRUSCAN SPAIN SERVICE 26 de Febrero de 2004

Anterior