VIrokiller!
Guest
Posts: 59716
Offline
|
 Posted:
Sat Jul 10, 2004 4:24 pm Post subject:
I-Worm Netsky Look what i found about it... |
|
|
I-Worm/Netsky
This worm spreads through e-mail, shared network drives and KaZaA.
I-Worm/Netsky.A
Installation:
When the worm is launched it copies itself as services.exe to Windows Directory and registers itself as service in Run key in Windows Registry.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML extension.
Message format is as following:
Sender address:
Is faked and is one of the following:
Ebay Auctions <responder@ebay.com>
QXL Auctions <responder@qxl.com>
MSN Auctions <auctions@msn.com>
Amazon automail <responder@amazon.com>
Yahoo Auctions <auctions@yahoo.com>
EBay Auctions <responder@ebay.com>
Message subject:
Auction successful!
Attachment name:
Is generated from several names, often with double extension. In some cases it could be in ZIP file. For example:
prod_info_47532.doc.scr
prod_info_54433.doc.exe
Spreading: networks
Worm tries to copy itself with different names to several folders on all accessible network drives. By this it could spread by local network, KaZaA or other shared networks as well.
I-Worm/Netsky.B
Installation:
When the worm is launched it copies itself as services.exe to Windows Directory and registers itself as service in Run key in Windows Registry.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with MSG, OFT, SHT, DBX, TBB, ADB, DOC, WAB, ASP, UIN, RTF, VBS, HTML, HTM, PL, PHP, TXT and EML extension.
Message format is as following:
Sender address is faked.
Message subject and body are generated from the following texts:
something is fool
something is going wrong
you are bad you try to steal
you feel the same
you earn money
thats wrong why?
take it easy
reply
do you? that's funny
here, the cheats
here, the introduction
here, the serials
from the chatter
about me
information about you
something is going wrong!
stuff about you?
greetings
see you here it is
that is bad yes, really?
i found this document about you your name is wrong
i hope it is not true!
kill the writer of this document!
something about you!
I have your password!
you are a bad writer
is that from you?
i wait for a reply!
is that your account?
is that your name?
is that true?
here
my hero read it immediately!
here is the document.
read the details.
i'm waiting ok
what does it mean?
anything ok?
Attachment name:
Is generated from several names, often with double extension. In some cases it could be in ZIP file.
Spreading: networks
Worm tries to copy itself with different names to several folders on all accessible network drives. By this it could spread by local network, KaZaA or other shared networks as well.
I-Worm/Netsky.D
Installation:
When the worm is launched it copies itself as winlogon.exe to Windows Directory and registers itself as ICQ Net in Run key in Windows Registry.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with dhtm, cgi, shtm, msg, oft, sht, dbx, tbb, adb, doc, wab, asp, uin, rtf, vbs, html, htm, pl, php, txt and eml extension.
Message format is as following:
Sender address is faked.
Message subject could be as following:
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
Message body could be as following:
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
Attachment message could be as following:
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
On March 2, 2004 worm produced random sounds on infected computer PC speaker.
Worm also contains this text:
be aware! Skynet.cz - -->AntiHacker Crew<--
I-Worm/Netsky.Q
Installation:
When the worm is launched, it copies itself as FVProtect.exe to Windows Directory and registers itself as Norton Antivirus AV in Run key in Windows Registry. Worm creates userconfig9x.dll file and base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp and zipped.tmp help files in same directory.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with xml, wsh, jsp, msg, oft, sht, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, php, txt, eml, html, htm and pl extension.
Message format is as following:
Sender address is faked.
Message subject and body are generated from large amount of texts. The only interesting thing is fake certification which worm appends to message body:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de
Attachment name could be one of the following:
summary2004
document_all02c
details05
document_with_notice
websites03
game_xxo
document05
my_numbers
my_list01
abuse_list
list_ed
websitelist01
document07
details03
Attached file has double extension, when first extension could be txt or doc and second zip, scr, exe or pif.
Spreading: networks
Worm searches for folders with shared files, kazaa, mule, donkey, morpheus, lime, bear, icq, shar, upload, http, htdocs, ftp, download, my shared folder names and copies itself to them using these names:
The Sims 4 beta.exe
Lightwave 9 Update.exe
Ulead Keygen 2004.exe
Smashing the stack full.rtf.exe
Internet Explorer 9 setup.exe
Opera 11.exe
DivX 8.0 final.exe
WinAmp 13 full.exe
Cracks & Warez Archiv.exe
Visual Studio Net Crack all.exe
ACDSee 10.exe
MS Service Pack 6.exe
Clone DVD 6.exe
Magix Video Deluxe 5 beta.exe
Star Office 9.exe
Partitionsmagic 10 beta.exe
Gimp 1.8 Full with Key.exe
Norton Antivirus 2005 beta.exe
Windows 2000 Sourcecode.doc.exe
Keygen 4 all new.exe
3D Studio Max 6 3dsmax.exe
1001 banned and more.rtf.exe
RFC compilation.doc.exe
Dictionary English 2004 - France.doc.exe
Win Longhorn re.exe
WinXP eBook newest.doc.exe
Learn Programming 2004.doc.exe
How to hack new.doc.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
netsky source code.scr
Ahead Nero 8.exe
Full album all.mp3.pif
Screensaver2.scr
Serials edition.txt.exe
Microsoft Office 2003 Crack best.exe
XXX banned pics.jpg.exe
Dark Angels new.pif
Porno Screensaver britney.scr
Best Matrix Screensaver new.scr
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Teen banned 15.jpg.pif
Microsoft WinXP Crack full.exe
Adobe Photoshop 10 crack.exe
Windows XP crack.exe
Windows 2003 crack.exe
Arnold Schwarzenegger.jpg.exe
Saddam Hussein.jpg.exe
Cloning.doc.exe
American Idol.doc.exe
Eminem Poster.jpg.exe
Altkins Diet.doc.exe
Eminem blowjob.jpg.exe
Ringtones.doc.exe
Eminem banned xxx.jpg.exe
Ringtones.mp3.exe
Eminem Spears banned.jpg.exe
Eminem full album.mp3.exe
Eminem banned archive.doc.exe
Eminem Song text archive.doc.exe
Britney Spears.mp3.exe
Eminem.mp3.exe
Britney Spears full album.mp3.exe
Britney Spears Song text archive.doc.exe
Matrix.mpg.exe
Britney Spears and Eminem banned.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears.jpg.exe
Harry Potter game.exe
Britney Spears banned.jpg.exe
Harry Potter.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter e book.doc.exe
Britney Spears blowjob.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney banned xxx.jpg.exe
Harry Potter all e.book.doc.exe
Britney Spears banned.jpg.exe
Kazaa new.exe
Britney Spears banned archive.doc.exe
Kazaa Lite 4.0 new.exe
I-Worm/Netsky.R
Installation:
When the worm is launched, it copies itself as sysmonxp.exe to Windows Directory and registers itself as sysmonxp in Run key in Windows Registry. Worm creates firewallloger.txt file and zipo0.txt, zipo1.txt, zipo2.txt, zipo3.txt, zippedbase64.tmp and base64.tmp help files in same directory. Then it launches notepad.exe too.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with xml, wsh, jsp, msg, oft, sht, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, php, txt, eml, html, htm and pl extension.
Message format is as following:
Sender address is faked.
Message subject and body are variable.
Message attachment name is random and could be zip archive or with executable extension.
I-Worm/Netsky.S
Installation:
When the worm is launched, it copies itself as pandaavengine.exe to Windows Directory and registers itself as PandaAVEngine in Run key in Windows Registry. Worm creates temp094283.dll file and next help file with random name in same directory. Then it launches notepad.exe too.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with ppt, xls, stm, ods, nch, mmf, mht, mdx, mbx, cfg, xml, wsh, jsp, html, htm, pl, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, msg, oft, sht, doc, wab, asp, php, txt and eml extension.
Message format is as following:
Sender address is faked.
Subject:
Re: <attachment name>
Message body:
Excuse me,
the important document is attached,
Yours sincerely
Message attachment name is random with pif extension.
Virus also contains these texts:
Yes, true, you have understand it.
Bagle is a shitty guy, he opens a backdoor,
and he makes a lot of money. Netsky not, Netsky
is Skynet, a good software, Good guys behind it.
Believe me, or not.
We will release thousands of our
Skynet versions, as long as bagle is there and the
people...
Thanks to Bruce Schneider.
And to all people in cz and russia.
Best regards - We are the only SkyNet.
I-Worm/Netsky.T
Installation:
When the worm is launched, it copies itself as EasyAV.exe to Windows Directory and registers itself as EasyAV in Run key in Windows Registry. Worm creates uinmzertinmds.opm help file in same folder.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with msg, doc, oft, dbx, wab, tbb, adb and sht extension.
Message format is as following:
Sender address is faked.
Subject:
Hello!
Hi!
Re: Important
Important
Re: My details
My details
Re: Your information
Your information
Re: Your details
Your details
Re: Your document
Your document
Re: Request
Request
Re: Thanks you!
Thank you!
Re: Approved
Approved
Re: Hello
Re: Hi
Message body is generated from the following texts:
Hello!
Hi!
Note that I have attached your document.
My <attachment name>.
The <attachment name>.
I have spent much time for the <attachment name>.
I have spent much time for your document.
Your <attachment name>.
Please notice the attached <attachment name>.
Please notice the attached document.
Please read quickly.
For more details see the attached document.
For more information see the attached document.
Approved, here is the document.
I have found the <attachment name>.
My <attachment name> is attached.
Your <attachment name> is attached.
Please, <attachment name>.
Your file is attached to this mail.
Please read the attached document.
Please have a look at the attached document.
See the document for details.
Here is the document.
The requested <attachment name> is attached!
I have sent the <attachment name>.
Please see the <attachment name>.
The <attachment name> is attached.
Here is the <attachment name>.
Please have a look at the <attachment name>.
Please read the <attachment name>.
Yours sincerely
Thank you
Thanks
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Panda OnlineAntiVirus
+++ Website: www.pandasoftware.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new MCAfee OnlineAntiVirus
+++ Homepage: www.mcafee.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new F-Secure OnlineAntiVirus
+++ Visit us: www.f-secure.com
+++ X-Attachment-Type: document
+++ X-Attachment-Status: no virus found
+++ Powered by the new Norton OnlineAntiVirus
+++ Free trial: www.norton.com
Message attachment name is random with pif extension.
I-Worm/Netsky.U
Installation:
When the worm is launched it copies itself as SymAV.exe to Windows Directory and registers itself as SymAV in Run key in Windows Registry
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with ppt, nch, mmf, mht, xml, wsh, jsp, xls, stm, ods, msg, oft, sht, html, htm, pl, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, mdx, mbx, cfg, php, txt and eml extension.
Message format is as following:
Sender address is faked.
Message subject is chosen from one of the following:
Reply
Again
It's me
Hey
Hello
Re: Hello
Re: Hi
Message body is generated from the following texts:
Oh, I got it!
To less characters! Take it easy...
I noticed your password for administrative purpuses.
Yet another password! Need a better one?
Oh... your password!
Need a better password? my advice....
Your pwd is critical, too short, to low!
Do not use personal information for your password!
Your password on a website?
Passwordlist? yours?
I needed only 2 hours to get your password.
Change your password! I have stolen some text, excuse me!
Dictionary attacks are good. Your password not!
I used the brute-force method to get your password..
Take it easy... Your password is too short.
I 've got your password! take it easy...
Hey, easy passwords!
Oh! Excuse me, your password is too easy!!!
Not with me!
Here is a sample of your private documents I have stolen!
Your privacy! lol, youre not protected!
Needed? No, here I give it back!
I believe from the document you are a child!
Check your document, errors are there!
Please, please, Give me another banned document about you!
Short and good, your document!
Jooooooooo.... document? Yours????? Wehaaa!
I do not accept documents from bad guys!
I do not want your document!
Go to hell an burn with your bad document!
I will send your list to the police!!!!
Hello, here.
It's the truth, your document not!!!
Could I have more texts about you?
Thus is enough. Stop sending your shitty documents!!!
One, two three, more, I have many questions to you document!
Nice, nice, more and more? do you?
Should I believe it? No, however, your story is bad.
Oh.....puh, your story is very strong!
Yours is very nice!
Do you have more of that?
Hey ya, nice document. Do you have more?
Abou you?
banned pic abou you?
Do you have a digicam to make your private photos?
More banned...your body is banned!
banned, you?
Are you banned?
More private photos of you? no!
Private photos...mmmhh. I like it. Post me more please!
Hey, banned one!
Hey, have you ever seen your photo?
Eat my banned! Your photo is bad.
Do not distribute your banned photos!
Uhaaa! banned... are you cranky?
Your are banned? Tell me more...please!
Hey, private or private..banned?
Pah!...take your private photo, banned and so, and go away.
I have sent your private photo to the police.
What is when I show your private illegal photo the police?
You? Very funny! More available?
I don't want to see your photo!
banned... your photo! banned?
Message attachment extension is pif. Attachment name is selected from one of the following:
morepasswords
cracked_password
easypassword
yourpassword
password
passwords
pwd_list
your_password
your_pwd
yourspwd
pwd
password02
pwds04
pass01
correct_pass
listed
detailed
approvdoc
doc_ed
morestory
abuses
mail
story
letter
sexydocument
doc
yetanotherdocument
trieddocument
posteddocument
abusedocument
illegaldocument
doc04
shortdoc
details
alldoc
document_part
anotherdocument
document3
founddocument
your_doc04
onedocument
mydocument
yourdocument
yourdoc
document
photo03
your_photo
private_pic
private_photo
about_you
your_bad_photo
xxx_yours_naked
your_private_document
private
yourpic
yournakedpic
pic04
yours
yourimage
yourphoto
yoursnaked
yours_naked
img05
not_permitted
yours_naked_img
yours_funny
I-Worm/Netsky.V
Installation:
When the worm is launched, it copies itself as KasperskyAVEng.exe to Windows Directory and registers itself as KasperskyAVEng in Run key in Windows Registry. Worm also creates skyav.tmp file in Windows Directory.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with ppt, nch, mmf, mht, xml, wsh, jsp, xls, stm, ods, msg, oft, sht, html, htm, pl, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, mdx, mbx, cfg, php, txt and eml extension.
Message format is as following:
Sender address is faked.
Message subject is chosen from one of the following:
Mail Delivery Sytem failure
Mail delivery failed
Server Status failure
Gateway Status failure
Message body is one from the following:
The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message...
Message attachment is missing, message has HTML form and contains script which manage downloading and launching of infected file from internet. This script abuses Internet Explorer vulnerability when the malicious code is automaticaly launched while you are reviewing or opening HTML message in Outlook.
Backdoor:
Virus is listening and waiting for commands on the port it opens.
I-Worm/Netsky.AA
Installation:
When the worm is launched, it copies itself as winlogon.scr to Windows Directory and registers itself as SkynetsRevenge in Run key in Windows Registry. Then it shows this report: Out of system memory.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with ppt, nch, mmf, mht, xml, wsh, jsp, xls, stm, ods, msg, oft, sht, html, htm, pl, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, mdx, mbx, cfg, php, txt and eml extension.
Message format is as following:
Sender address is faked.
Message subject is chosen from one of the following:
Re: Job
Re: Pricelist
Re: Patch
Re: Poster
Re: Final
Re: Demo
Re: War
Re: Cheaper
Re: Fax number
Re: Advice
Re: Presentation
Re: Movie
Re: Website
Re: Product
Re: Letter
Re: Missed
Re: Error
Re: Bill
Re: e-Books
Re: Contacts
Re: Paint file
Re: Text file
Re: List
Re: Tel. Numbers
Re: Application
Re: Music
Re: Step by Step
Re: Summary
Re: Hello
Re: Hi
Re: Information
Re: Private
Re: Photos
Re: Details
Re: Thank you!
Re: Text
Re: Approved
Re: Document
Message body is one from the following:
For furher details see the attached file.
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
Please take the attached file.
See the attached file for details.
Please view the attached file.
Here is the file.
Your document is attached.
Attachment name is selected from the following list:
Your_Job.pif
Your_Pricelist.pif
Your_Patch.pif
Your_Poster.pif
Your_Final_Document.pif
Your_Demo.pif
Osam_Bin_Laden_Articel_42.pif
Your_Product_List.pif
My_Fax_Numbers.pif
My_Advice.pif
Your_Presentation.pif
Your_Movie.pif
Your_Website.pif
Your_Product.pif
Your_Letter.pif
Your_Excel_Document.pif
Your_Error.pif
Your_Bill.pif
Your_E-Books.pif
Your_Contacts.pif
Your_Paint_File.pif
Your_Text_File.pif
Your_List.pif
My_Telephone_Numbers.pif
Your_Software.pif
Your_Music.pif
Your_Description.pif
Your_Summary.pif
Your_Digicam_Pictures.pif
Your_Information.pif
Your_Private_Document.pif
Your_Pics.pif
Your_Details.pif
Your_Document_Part3.pif
Your_Text.pif
Your_Document.pif
I-Worm/Netsky.AB
Installation:
When the worm is launched, it copies itself as csrss.exe to Windows Directory and registers itself as BagleAV in Run key in Windows Registry.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with ppt, nch, mmf, mht, xml, wsh, jsp, xls, stm, ods, msg, oft, sht, html, htm, pl, dbx, tbb, adb, dhtm, cgi, shtm, uin, rtf, vbs, doc, wab, asp, mdx, mbx, cfg, php, txt and eml extension.
Message format is as following:
Sender address is faked.
Message subject is chosen from one of the following:
Correction
Hurts
Privacy
Password
Wow
Criminal
Pictures
Text
Money
Stolen
Found
Numbers
Funny
Only love?
More samples
Picture
Letter
Question
Illegal
Message body is one from the following:
Please use the font arial!
How can I help you?
Still?
I've your password.
Take it easy!
Why do you show your body?
Hey, are you criminal?
Your pictures are good!
The text you sent to me is not so good!
True love letter?
Do you have no money?
Do you have asked me?
I've found your creditcard.
Check the data!
Are your numbers correct?
You have no chance...
Wow! Why are you so shy?
Do you have more samples?
Do you have more photos about you?
Do you have written the letter?
Does it hurt you?
Please do not sent me your illegal stuff again!!!
Attachment name is selected from the following list:
corrected_doc.pif
hurts.pif
document1.pif
passwords02.pif
image034.pif
myabuselist.pif
your_picture01.pif
your_text01.pif
your_letter.pif
your_bill.pif
my_stolen_document.pif
visa_data.pif
pin_tel.pif
your_text.pif
loveletter02.pif
all_pictures.pif
your_letter_03.pif
your_picture.pif
abuses.pif
I know most of us use ebay, so i thought this might have been important.
source: http://free.grisoft.com/freeweb.php/lng/us/doc/Virus+Encyclopaedia/tpl/v5/idn/086fda676cae3000 |
|
FAQ
Search
Register
Profile
Log in to check your private messages
Log in
