Nova varijanta crva!

Nova varijanta crva!

offline
  • SINGI
  • Pridružio: 22 Avg 2003
  • Poruke: 787
  • Gde živiš: Beograd

I-Worm.Netsky.d
[ 03/01/2004 14:27, GMT +03:00, Moscow ]
Danger : severe risk

Kaspersky Labs has detected I.Worm.Netsky.d, the fourth version of the mail-worm Moodown. The worm spreads via the Internet as a file attached to infected emails.

The worm is a Windows PE EXE file of approximately 17KB. It is written in Microsoft Visual C++, and packed using Petite. The size of the unpacked file is approximately 27KB.

Contents of infected messages
Message header, chosen at random from the list below

Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

Message body, chosen at random from the list below:

Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file
Please read the attached file.
Your file is attached.

Attachment name, chosen at random from the list below:

your_document.pif
document.pif
message_part2.pif
document_full.pif
message_details.pif
your_file.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

The worm copies itself to %WinDir% under the name "winlogon.exe".

It adds the following key to the system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"ICQ Net" = "%windir%\winlogon.exe"

Kaspersky Labs' personnel are still analysing the worm, and a more detailed description will be available soon.

An urgent update to Kaspersky Labs anti-virus databases has already been issued.



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
offline
  • SINGI
  • Pridružio: 22 Avg 2003
  • Poruke: 787
  • Gde živiš: Beograd

Evo i definitivnog razjasnjenja, tako da i ovaj crv ide u arhivu resenih problema Cool

I-Worm.Netsky.d

This worm spreads via the Internet as a file attached to infected messages.

The worm is a Windows PE EXE file, of approximately 17424 bytes, written in Microsoft Visual C++. It is packed using Petite. The unpacked file is approximately 27KB in size.
Infected messages
Message header, chosen at random from the list below:

Re: Re: Document
Re: Re: Thanks!
Re: Thanks!
Re: Your document
Re: Here is the document
Re: Your picture
Re: Re: Message
Re: Hi
Re: Hello
Re: Re: Re: Your document
Re: Here
Re: Your music
Re: Your software
Re: Approved
Re: Details
Re: Excel file
Re: Word file
Re: My details
Re: Your details
Re: Your bill
Re: Your text
Re: Your archive
Re: Your letter
Re: Your product
Re: Your website

Message body, chosen at random from the list below:

Your document is attached.
Here is the file.
See the attached file for details.
Please have a look at the attached file
Please read the attached file.
Your file is attached.

Attachment name, chosen at random from the list below:

your_document.pif
document.pif
message_part2.pif
document_full.pif
message_details.pif
your_file.pif
document_4351.pif
yours.pif
mp3music.pif
application.pif
all_document.pif
my_details.pif
document_excel.pif
document_word.pif
your_details.pif
your_bill.pif
your_text.pif
your_archive.pif
your_letter.pif
your_product.pif
your_website.pif

The worm is activated only if the user executes the infected file by double clicking on the attachment. The worm then installs itself to the system, and starts propagating.
Installation
When installing, the worm copies itself to the Windows directory under the name winlogon.exe and registers this file in the system registry auto-run key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

Sending messages
To harvest email addresses, the worm searches for files with the following extensions:

.adb
.asp
.dbx
.doc
.eml
.htm
.html
.msg
.oft
.php
.pl
.rtf
.sht
.tbb
.txt
.uin
.vbs
.wab

and sends a copy of itself to all addresses found in these files. The worm uses its own SMTP engine to send messages.

It attempts to send itself via the following SMTP servers:

62.155.255.16
212.185.252.73
212.185.253.70
212.185.252.136
194.25.2.129
194.25.2.130
195.20.224.234
217.5.97.137
194.25.2.129
193.193.144.12
212.7.128.162
212.7.128.165
193.193.158.10
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
193.141.40.42
145.253.2.171
193.189.244.205
213.191.74.19
151.189.13.35
195.185.185.195
212.44.160.8

Deletion of Mydoom
In a similar way to several other worms, Netsky.d is programmed to deleted Mydoom from the infected machine. It searches the following branches of the system registry for the Explorer and Taskmon keys:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]

and also deletes the following key:

[HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32]

Other
The worm deletes the keys KasperskyAv and system from the system registry.



offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

Pitanje: Sta se desava kada postu pregledjujem preko webmaila ( konkretno hotmail.com) ? Postoji li opasnost od zaraze ?

offline
  • Pridružio: 18 Apr 2003
  • Poruke: 5001
  • Gde živiš: Beograd

pa hotmail ima mcafee skener a mislim da ne postoji mogucnost da se zarazis ako ne skidas priloge iz mailova

offline
  • Goran 
  • Prof.Mr.Dr.Sci. Traumatologije
  • Pridružio: 05 Maj 2003
  • Poruke: 9977
  • Gde živiš: Singidunum

Pregledom ne, "download"-om da!

offline
  • Pridružio: 04 Sep 2003
  • Poruke: 24135
  • Gde živiš: Wien

mcafee nije detektovao nista, a u prilogu je bio cuveni pif fajl.

offline
  • SVITAC 
  • Legendarni građanin
  • Pridružio: 28 Apr 2003
  • Poruke: 5919
  • Gde živiš: Beograd

Da li je promenio extenziju ?

Ko je trenutno na forumu
 

Ukupno su 963 korisnika na forumu :: 28 registrovanih, 4 sakrivenih i 931 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: AC-DC, Alibaba1981, avijacija, bokisha253, cenejac111, Centauro, Chainsaw, djuradj, draggan, GORDI, Griffon vulture, Koridor, Kubovac, laki_bb, mane123, mercedesamg, Metanoja, MiGac, Motocar, nenooo, nextyamb, Petarvu, rovac, shaja1, shlauf, vaso1, virked, Vlad000