VSantivirus No. 1334 Año 8, martes 2 de marzo de 2004
W32/Netsky.E. Variante del Netsky "D"
http://www.vsantivirus.com/netsky-e.htm
Nombre: W32/Netsky.E
Tipo: Gusano de Internet
Alias: Netsky.E, Moodown.E, I-Worm.Moodown.e, Win32/Netsky.E, W32/Netsky.e@MM, W32/Netsky.E.worm,
WORM_NETSKY.E, W32/Netsky-E, W32/Netsky.c@MM, Win32.Netsky.E, Worm.SomeFool.D
Fecha: 1/mar/04
Plataforma: Windows 32-bit
Tamaño: 24,840 bytes (PEtite)
Este gusano, escrito en Microsoft Visual C++ y comprimido con la utilidad PEtite, fue reportado por primera vez el 1 de marzo de 2004. Está basado en la versión "C" del gusano, y aún se está estudiando su código.
Cuando se ejecuta, el gusano se copia a si mismo en el directorio de Windows:
c:\windows\winlogon.exe
NOTA: La carpeta "c:\windows" puede variar de acuerdo al sistema operativo instalado ("c:\winnt" en NT, "c:\windows", en 9x, Me, XP, etc.).
El gusano crea la siguiente entrada en el registro, para autoejecutarse en cada reinicio:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ICQNet = c:\windows\winlogon.exe -stealth
También borra las siguientes entradas en el registro, las que corresponden a otros gusanos:
Mydoom.A:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Taskmon
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Taskmon
Mydoom.B:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Explorer
HKEY_ CURRENT_USER \Software\Microsoft\
Windows\CurrentVersion\Run
Explorer
Mydoom A y B:
HKEY_CLASSES_ROOT\CLSID\
{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
InProcServer32
Mimail.T:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
KasperskyAv
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
KasperskyAv
Netsky A y B:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
service
Otros:
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
system.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Runservices
System.
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
msgsvr32
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
DELETE ME
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
d3dupdate.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
au.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
OLE
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Sentry
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer
PINF
HKEY_LOCAL_MACHINE \System\CurrentControlSet\
Services
WksPatch
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Services Host
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Windows Services Host
El gusano busca direcciones electrónicas en archivos con las siguientes extensiones, en todas las unidades de disco y mapeadas en red, de la C a la Z, excepto unidades de CD-Rom:
.adb
.asp
.bdx
.cgi
.dhtm
.doc
.eml
.htm
.html
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
Cuando detecta una conexión a Internet establecida, el gusano comienza a propagarse a si mismo.
Para aumentar su grado de propagación, lanza 4 hilos simultáneos de ejecución, en cada uno de los cuáles puede enviar mensajes con las siguientes características:
De: [una dirección falsa]
Asunto: [uno de los siguientes]
[vacío]
Announcement
Approved
Attention
automatic notification
automatic responder
believe me
Confirmation
Confirmation Required
dear
Delivery Failed
denied!
Details
error
exception
excuse me
Expired account
fake?
good morning
hello
Here is it
hey
hi
hi, it's me
illegal...
I'm back!
important
info
its me
last chance!
lol
Love is
moin
notice!
notification
oh
please read
please reply
private?
question
Question
re:
Re: <5664ddff?$??º2>
Re: <censored>
Re: Approved
Re: Details
Re: does it?
Re: does it?
Re: excuse me
Re: hello
Re: hey
Re: hi
Re: important
Re: information
Re: information
Re: Re: Re: Re:
Re: Thank you
Re: unknown
read it immediatelly
read now!
Read this message
registered?
Registration confirm
report
Returned Mail
Schedule
something for you
Status
stolen
take it
Thank you
Thank You very very much
trust me
warning
what's up?
Yep
You have 1 day left
You use illegal...
you?
Your IP was logged
Your request was registered
Texto del mensaje: [uno de los siguientes]
[vacío]
*lol*
;-)
<...>
<?}
<<<Failure>>>
<09580985869gj>
<Antispam complete>
<Attached Msg>
<Attachment from Poland>
<Attachment Signature 34933920>
<Automailer>
<bad gateway>
<Click the attachment to decrypt>
<Failed message available>
<Mail failed>
<Message Error>
<null>
<scanned by norton antivirus>
<Server Error>
<Transfer complete>
<Warning from the Government>
a crazy doc about you
abuse?
account?
already?
another pic, have fun! ... :->
Antispam is turned off. See file!
are you a photographer?
are you a teacherin the picture?
are you cranky?
are you the naked one?
are you the naked person!
are you the one?
attachi#
Authentification required. Read the att...
be mad?
best?
bob the builder
child or adult?
child porn?
classroom test of you?
copyright?
correct it!
did you ask me for that?
did you know from this document?
did you know that?
did you see her already?
did you sent it to me?
do not give up!
do not open the attachment!
do not show this anyone!
do not use my document!
do not visit the pages on the list I se...
do you have an orgasm in the picture?
do you have sex in the picture?
do you have the bug also?
do you have?
do you know the thief?
do you know this????
do you think so?
doc about me?
doc?
docs?
does it belong to you?
does it belong to you?
does it match?
does it matter?
drugs? ...
excellent!
explain!
fast food...
feel free to use it.
File is bad.
File is damaged.
File is self-decryting.
forgotten?
from the chatter (my photo!)
from your lover ;-)
gonna?
good work!
great job!
great xxx!
great!
greetings
help attached
her.
here is it.
here is my advice.
here is my photo!
here is the $%%454$
here is the <censored>
here is the document.
here is the next one!
here is yours!
here, the cheats
here, the introduction
here, the serials
how?
i am desperate
i am speachless about your document!
I don't know your document!
i don't think so.
i don't want your xxx pics!
i found that about you!
i found this document about you.
i have received this.
I have your password!
i hope thats not true!
i know your document!
i like your doc!
i lost that
i need you!
i saw you last week!
I 've found your bill!
I wait for an answer!
i wait for your comment about it.
i want more...
illegal st. of you?
important?
in your mind?
incest?
information about you?
Instant patches.
instruct me about this!
is that criminal?
is that possible?
is that the reality?
is that true?
is that your account?
is that your account?
is that your attachment?
is that your beast?
is that your car?
is that your car?
is that your cd?
is that your creditcard?
is that your domain?
is that your family?
is that your finger?
is that your message?
is that your name?
is that your photo?
is that your porn pic?
is that your privacy?
is that your slip?
is that your TAN?
is that your website?
is that your wife?
is that your work?
is that yours?
is the pic a fake?
is this information about you?
it's a secret!
its private from me
it's so similar as yours!
i've found it about you
kill him on the picture!
kill the writer of this document!
let it!
lets talk about it!
Login required! Read the attachment!
love letter?
man or women?
meaning of that?
message?
Microsoft
misc. and so on. see you!
modifications?
money?
msg
my advice....
never!
new patch is available!
ok...
old photos about you?
only encrypted!
pages?
personal message!
picture?
poor quality!
possible?
pretty pic about you?
pwd?
read it immediately!
read the details.
really?
reply
schoolfriend?
see this!
see your name!
solve the problem!
something about you!
something is going ...
something is going wrong!
something is not ok
stuff about you?
such as yours?
take it easy!
tell me more about your document!
test it
that is interesting...
that's a funny text.
that's not the truth?
thats wrong!
the information is wrong!
the truth?
this file is bad!
this is an attachment message!
this is nothing for kids!
time to fear?
Transaction failed. Show the doc!
trial?
try this patch!
what do you think about it?
what means that?
what still?
what?
who?
why should I?
why?
wrong calculation! (see the attachment!...
xxx ?
xxx about you?
xxx service
yes.
you are a bad writer
you are bad
You are infected. Read the details!
you are naked in this document!
you are sexy in this doc!
you cannot hide yourself! (see photo)
you earn money, see the attachment!
you feel the same.
you have a sexy body in the pic!
you have done a mistake in the document...
you have tried to steal!
you look like an ape!
you look like an rat?
you won the rk!
your account is expired!
your are naked?
your attachment? verify it.
Your bill.
your body?
your design is not good!
your document is not good
your document is silly!
your eyes?
your face?
your hero in the picture?
your icq number?
your job? (I found that!)
your lie is going around the world!
your name is wrong!
your personal record?
your photo is poor
Your provider will be disabled!
your TAN number?
yours?
Datos adjuntos: [seleccionado al azar de la siguiente lista]:
454543403
aboutyou
associal
attach2
attachment
auction
bill
birth
card
class_photos
concert
creditcard
death
description
details
dinner
disco
doc
doc_ang
document
final
found
freaky
friend
id
image
important
incest
information
injection
intimate stuff
jokes
letter
location
mail2
mails
masturbation
material
me
message
misc
moonlight
more
msg
msg2
music
myaunt
mydate
naked1
naked2
news
nomoney
note
nothing
number_phone
object
old_photos
part2
party
paypal
pic
portmoney
poster
posting
privacy
product
ps
ranking
regards
regid
release
response
schock
secrets
sexual
sexy
shower
story
stuff
swimmingpool
talk
tear
textfile
topseller
transfer
trash
undefinied
unfolds
update
violence
visa
warez
webcam
website
wife
word_doc
worker
your_stuff
yours
yours
El adjunto puede tener una o dos extensiones. La primera extensión puede ser una de las siguientes (puede ser omitida):
.doc
.gif
.htm
.jpg
.rtf
.txt
La segunda o única extensión, puede ser una de las siguientes:
.bat
.cmd
.com
.exe
.pif
.scr
En ocasiones, existen espacios antes de la última extensión. Ejemplos:
visa.rtf
.scr
document.txt.pif
454543403.exe
El adjunto también puede tener extensión .ZIP, en ese caso conteniendo un ejecutable con el mismo nombre, dentro de éste. Ejemplos:
class_photos.zip (contiene class_photos.exe)
doc.zip (contiene doc.txt.scr)
El gusano evita enviar mensajes a direcciones que contengan cualquiera de las siguientes cadenas:
abuse
antivi
aspersky
avp
cafee
fbi
f-pro
f-secur
icrosoft
itdefender
messagelabs
orman
orton
skynet
spam
ymantec
Posee su propio motor SMTP, y si durante el envío de los mensajes, falla en consultar al servidor de nombres configurado en la conexión actual, entonces lo intenta con servidores DNS localizados en las siguientes direcciones:
194.25.2.129
194.25.2.129
194.25.2.130
194.25.2.131
194.25.2.132
194.25.2.133
194.25.2.134
212.44.160.8
217.5.97.137
145.253.2.171
151.189.13.35
193.141.40.42
213.191.74.19
212.7.128.162
212.7.128.165
195.20.224.234
62.155.255.16
193.193.144.12
193.193.158.10
212.185.253.70
212.185.252.73
193.189.244.205
195.185.185.195
195.185.185.195
212.185.252.136
El gusano crea el mutex (semáforo) "[SkyNet.cz]SystemsMutex", para no ejecutarse más de una vez en memoria.
Si la fecha es 2 de marzo de 2004, y el gusano se ejecuta entre las 6 y las 9 de la mañana, se emiten por el PC Speaker una serie de sonidos (beeps) en forma continua.
El código del gusano contiene el siguiente texto:
be aware! Skynet.cz - -->AntiHacker Crew<--
Reparación manual
Antivirus
1. Actualice sus antivirus con las últimas definiciones
2. Ejecútelos en modo escaneo, revisando todos sus discos
3. Borre los archivos detectados como infectados
Borrar manualmente archivos agregados por el virus
Desde el Explorador de Windows, localice y borre los siguientes archivos:
c:\windows\winlogon.exe
IMPORTANTE: No borre C:\WINDOWS\SYSTEM32\WINLOGON.EXE, ya que es un archivo legítimo de Windows.
Pinche con el botón derecho sobre el icono de la "Papelera de reciclaje" en el escritorio, y seleccione "Vaciar la papelera de reciclaje".
Editar el registro
Nota: algunas de las ramas en el registro aquí mencionadas, pueden no estar presentes ya que ello depende de que versión de Windows se tenga instalada.
1. Ejecute el editor de registro: Inicio, ejecutar, escriba REGEDIT y pulse ENTER
2. En el panel izquierdo del editor, pinche en el signo "+" hasta abrir la siguiente rama:
HKEY_LOCAL_MACHINE
\SOFTWARE
\Microsoft
\Windows
\CurrentVersion
\Run
3. Pinche en la carpeta "Run" y en el panel de la derecha, bajo la columna "Nombre", busque y borre
la siguiente entrada:
ICQNet
4. Use "Registro", "Salir" para salir del editor y confirmar los cambios.
5. Reinicie su computadora (Inicio, Apagar el sistema, Reiniciar).
Información adicional
Mostrar las extensiones verdaderas de los archivos
Para poder ver las extensiones verdaderas de los archivos y además visualizar aquellos con atributos de "Oculto", proceda así:
1. Ejecute el Explorador de Windows
2. Seleccione el menú 'Ver' (Windows 95/98/NT) o el menú 'Herramientas' (Windows Me/2000/XP), y pinche en 'Opciones' u 'Opciones de carpetas'.
3. Seleccione la lengüeta 'Ver'.
4. DESMARQUE la opción "Ocultar extensiones para los tipos de archivos conocidos" o similar.
5. En Windows 95/NT, MARQUE la opción "Mostrar todos los archivos y carpetas ocultos" o similar.
En Windows 98, bajo 'Archivos ocultos', MARQUE 'Mostrar todos los archivos'.
En Windows Me/2000/XP, en 'Archivos y carpetas ocultos', MARQUE 'Mostrar todos los archivos y carpetas ocultos' y DESMARQUE 'Ocultar archivos protegidos del sistema operativo'.
6. Pinche en 'Aplicar' y en 'Aceptar'.
Limpieza de virus en Windows Me y XP
Si el sistema operativo instalado es Windows Me o Windows XP, para poder eliminar correctamente este virus de su computadora, deberá deshabilitar antes de cualquier acción, la herramienta "Restaurar sistema" como se indica en estos artículos:
Limpieza de virus en Windows Me
http://www.vsantivirus.com/faq-winme.htm
Limpieza de virus en Windows XP
http://www.vsantivirus.com/faq-winxp.htm
Actualizaciones:
09/07/04 - 13:04 -0300 (Alias: Worm.SomeFool.D)
(c) Video Soft - http://www.videosoft.net.uy
(c) VSAntivirus - http://www.vsantivirus.com
|