Tylko teraz Kaspersky Total Security w cenie Kaspersky Internet Security!  Sprawdź ofertę »

X

I-Worm.Netsky.c - generuje dźwięki

Jest to robak internetowy rozprzestrzeniający się jako załącznik zainfekowanych wiadomości e-mail. Ma postać pliku PE EXE o rozmiarze około 23 KB (kompresja Petite, rozmiar po rozpakowaniu - około 29 KB).

Instalacja

Robak kopiuje się z nazwą winlogon.exe do folderu Windows i tworzy w rejestrze systemowym klucz auto-run:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%Folder Windows%\winlogon.exe -stealth"

W celu oznaczenia zainfekowanego komputera robak tworzy w pamięci unikatowy identyfikator [SkyNet.cz]SystemsMutex.

Szkodnik tworzy własne kopie na dyskach od C: do Z: w folderach, których nazwy zawierają słowo share. Nazwy kopii są wybierane z poniższej listy:

  • Adobe Premiere 9.exe
  • Adobe Photoshop 9 full.exe
  • Ahead Nero 7.exe
  • Microsoft WinXP Crack.exe
  • Teen Porn 16.jpg.pif
  • Best Matrix Screensaver.scr
  • Porno Screensaver.scr
  • Dark Angels.pif
  • 3D Studio Max 3dsmax.exe
  • Keygen 4 all appz.exe
  • Windows Sourcecode.doc.exe
  • Norton Antivirus 2004.exe
  • Gimp 1.5 Full with Key.exe
  • Partitionsmagic 9.0.exe
  • Star Office 8.exe
  • XXX hardcore pic.jpg.exe
  • Microsoft Office 2003 Crack.exe
  • Serials.txt.exe
  • Screensaver.scr
  • Full album.mp3.pif
  • Virii Sourcecode.scr
  • E-Book Archive.rtf.exe
  • Doom 3 Beta.exe
  • How to hack.doc.exe
  • Learn Programming.doc.exe
  • WinXP eBook.doc.exe
  • Win Longhorn Beta.exe
  • Dictionary English - France.doc.exe
  • RFC Basics Full Edition.doc.exe
  • 1000 Sex and more.rtf.exe
  • Magix Video Deluxe 4.exe
  • Clone DVD 5.exe
  • MS Service Pack 5.exe
  • ACDSee 9.exe
  • Visual Studio Net Crack.exe
  • Cracks & Warez Archive.exe
  • WinAmp 12 full.exe
  • DivX 7.0 final.exe
  • Opera.exe
  • IE58.1 full setup.exe
  • Smashing the stack.rtf.exe
  • Ulead Keygen.exe
  • Lightwave SE Update.exe
  • The Sims 3 crack.exe

Szkodnik tworzy także własne kopie w formacie ZIP.

Rozprzestrzenianie

Adresy ofiar pobierane są z plików posiadających następujące rozszerzenia:

  • EML
  • TXT
  • PHP
  • PL
  • HTM
  • HTML
  • VBS
  • RTF
  • UIN
  • ASP
  • WAB
  • DOC
  • ADB
  • TBB
  • DBX
  • SHT
  • OFT
  • MSG
  • SHTM
  • CGI
  • DHTM

Robak wysyła zainfekowane wiadomości e-mail przy użyciu własnego silnika SMTP, a także podejmuje próby dystrybuowania się za pośrednictwem następujących serwerów SMTP:

  • 62.155.255.16
  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.7.128.162
  • 212.7.128.165
  • 212.44.160.8
  • 212.185.253.70
  • 212.185.252.73
  • 212.185.252.136
  • 213.191.74.19
  • 217.5.97.137

Zainfekowane wiadomości e-mail

Zainfekowane wiadomości posiadają następujące pola:

  • Temat:

    • Delivery Failed
    • Status
    • report
    • question
    • trust me
    • hey
    • Re: excuse me
    • read it immediatelly
    • hi
    • Re: does it? 
    • Yep
    • important
    • hello
    • dear
    • Re: unknown
    • fake? 
    • warning
    • moin
    • what's up? 
    • info
    • Re: information
    • Here is it
    • stolen
    • private? 
    • good morning
    • illegal... 
    • error
    • take it
    • re: 
    • Re: Re: Re: Re: 
    • you? 
    • something for you
    • exception
    • Re: hey
    • excuse me
    • Re: hi
    • Re: does it? 
    • Re: important
    • Re: hello
    • believe me
    • Question
    • denied! 
    • notification
    • Re: <5664ddff?$???2>
    • lol
    • last chance! 
    • I'm back! 
    • its me
    • notice!

    Temat może być także pusty.

  • Treść:

    • what means that? 
    • help attached
    • <...>
    • ok... 
    • pwd? 
    • I wait for an answer! 
    • abuse? 
    • is that yours? 
    • you are a bad writer
    • I don't know your document! 
    • I have your password! 
    • you won the rk! 
    • something about you! 
    • classroom test of you? 
    • kill the writer of this document! 
    • old photos about you? 
    • i hope thats not true! 
    • your name is wrong! 
    • does it match? 
    • i found this document about you. 
    • time to fear? 
    • really? 
    • do you know this???? 
    • i know your document! 
    • did you sent it to me? 
    • this file is bad! 
    • why should I? 
    • pages? 
    • her. 
    • another pic, have fun! ... :->
    • test it
    • child porn? 
    • greetings
    • doc? 
    • trial? 
    • what? 
    • ;-)
    • i need you! 
    • correct it! 
    • see this! 
    • it's a secret! 
    • this is nothing for kids! 
    • it's so similar as yours! 
    • is that your car? 
    • do not give up! 
    • great job! 
    • here is the $%%454$
    • you are sexy in this doc! 
    • incest? 
    • let it! 
    • you look like an ape! 
    • you look like an rat? 
    • be mad? 
    • are you cranky? 
    • bob the builder
    • did you know that? 
    • money? 
    • xxx ? 
    • stuff about you? 
    • your document is not good
    • something is going wrong! 
    • your photo is poor
    • information about you? 
    • the information is wrong! 
    • doc about me? 
    • kill him on the picture! 
    • from the chatter (my photo!)
    • from your lover ;-)
    • love letter? 
    • here, the serials
    • are you a teacherin the picture? 
    • here, the introduction
    • is that criminal? 
    • here, the cheats
    • i like your doc! 
    • what do you think about it? 
    • that's a funny text. 
    • that's not the truth? 
    • do you have? 
    • instruct me about this! 
    • i lost that
    • i am speachless about your document! 
    • is that the reality? 
    • reply
    • msg
    • your design is not good! 
    • important? 
    • your TAN number? 
    • take it easy! 
    • why? 
    • you are naked in this document! 
    • thats wrong! 
    • your icq number? 
    • i am desperate
    • modifications? 
    • your personal record? 
    • yes. 
    • misc. and so on. see you! 
    • your attachment? verify it. 
    • you earn money, see the attachment! 
    • is that your attachment? 
    • is that your website? 
    • you feel the same. 
    • meaning of that? 
    • possible? 
    • you have tried to steal! 
    • did you ask me for that? 
    • you are bad
    • your job? (I found that!)
    • is that possible? 
    • something is going ... 
    • something is not ok
    • did you know from this document? 
    • wrong calculation! (see the attachment!... 
    • never! 
    • poor quality! 
    • good work! 
    • excellent! 
    • great! 
    • i don't think so. 
    • pretty pic about you? 
    • docs? 
    • schoolfriend? 
    • Warning from the Government
    • 09580985869gj
    • ?
    • i want more... 
    • here is the next one! 
    • attachi#
    • did you see her already? 
    • is that your wife? 
    • is that your creditcard? 
    • is that your photo? 
    • do you think so? 
    • do you have the bug also? 
    • already? 
    • forgotten? 
    • drugs? ... 
    • does it matter? 
    • i have received this. 
    • best? 
    • the truth? 
    • your body? 
    • your eyes? 
    • your face? 
    • File is self-decryting. 
    • File is damaged. 
    • File is bad. 
    • i saw you last week! 
    • xxx service
    • your account is expired! 
    • you cannot hide yourself! (see photo)
    • copyright? 
    • what still? 
    • who? 
    • how? 
    • bad gateway
    • only encrypted! 
    • personal message! 
    • my advice.... 
    • i've found it about you
    • <<>>
    • Attached Msg
    • scanned by norton antivirus
    • great xxx! 
    • man or women? 
    • child or adult? 
    • here is yours! 
    • a crazy doc about you
    • xxx about you? 
    • i don't want your xxx pics! 
    • is that your car? 
    • is this information about you? 
    • is that your privacy? 
    • is that your TAN? 
    • is that your message? 
    • is that your cd? 
    • is that your finger? 
    • your are naked? 
    • is that your porn pic? 
    • is that your work? 
    • is that your family? 
    • is that your beast? 
    • is that your account? 
    • is that your slip? 
    • is that your domain? 
    • are you the naked one? 
    • are you the naked person! 
    • are you the one? 
    • does it belong to you? 
    • do you have sex in the picture? 
    • that is interesting... 
    • i wait for your comment about it. 
    • such as yours? 
    • read the details. 
    • gonna? 
    • here is the document. 
    • *lol*
    • read it immediately! 
    • i found that about you! 
    • your hero in the picture? 
    • yours? 
    • here is it. 
    • illegal st. of you? 
    • is that true? 
    • account? 
    • is that your name? 
    • picture? 
    • message? 
    • is that your account? 
    • you have a sexy body in the pic! 
    • your lie is going around the world! 
    • lets talk about it! 
    • do you know the thief? 
    • are you a photographer? 
    • you have done a mistake in the document... 
    • its private from me
    • do not show this anyone! 
    • new patch is available! 
    • this is an attachment message! 
    • in your mind? 
    • Microsoft
    • fast food... 
    • Your bill. 
    • try this patch! 
    • do you have an orgasm in the picture? 
    • Transaction failed. Show the doc! 
    • I 've found your bill!
    • see your name! 
    • You are infected. Read the details! 
    • here is my advice
    • here is my photo! 
    • here is the 
    • feel free to use it
    • does it belong to you? 
    • Login required! Read the attachment! 
    • your document is silly! 
    • is the pic a fake? 
    • Antispam is turned off. See file! 
    • Authentification required. Read the att... 
    • solve the problem! 
    • do not use my document! 
    • do not open the attachment! 
    • do not visit the pages on the list I se... 
    • explain! 
    • tell me more about your document! 
    • Your provider will be disabled! 
    • Instant patches

    Treść wiadomości może również pusta.

  • Nazwa załącznika:

    • part2
    • msg2
    • disco
    • freaky
    • visa
    • party
    • material
    • misc
    • nothing
    • transfer
    • auction
    • warez
    • undefinied
    • violence
    • update
    • masturbation
    • injection
    • naked1
    • naked2
    • tear
    • music
    • paypal
    • document
    • associal
    • msg
    • yours
    • doc
    • wife
    • talk
    • message
    • response
    • creditcard
    • description
    • details
    • attachment
    • pic
    • me
    • trash
    • card
    • stuff
    • poster
    • posting
    • portmoney
    • textfile
    • moonlight
    • concert
    • sexy
    • information
    • news
    • note
    • number_phone
    • bill
    • mydate
    • swimmingpool
    • class_photos
    • product
    • old_photos
    • topseller
    • ps
    • important
    • shower
    • myaunt
    • aboutyou
    • yours
    • nomoney
    • birth
    • found
    • death
    • story
    • worker
    • mails
    • letter
    • more
    • website
    • regards
    • regid
    • friend
    • unfolds
    • jokes
    • doc_ang
    • your_stuff
    • location
    • final
    • schock
    • release
    • webcam
    • dinner
    • intimate stuff
    • sexual
    • ranking
    • object
    • secrets
    • mail2
    • attach2
    • id
    • privacy
    • word_doc
    • image
    • incest

    Załączniki mogą posiadać następujące rozszerzenia:

    • TXT
    • RTF
    • DOC
    • HTM

    w pewnych okolicznościach pojawia się także drugie rozszerzenie (jedno z poniższych):

    • EXE
    • SCR
    • COM
    • PIF

    Szkodnik może także wysyłać swoje kopie w postaci archiwum ZIP file.

Informacje dodatkowe

Robak usuwa z rejestru systemowego następujące klucze:

  • Taskmon
  • Explorer
  • Windows Services Host
  • KasperskyAV
  • System.
  • msgsvr32
  • DELETE ME
  • service
  • Sentry
  • Windows Services Host
  • HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
    InProcServer32
  • HKCU\Software\Microsoft\Windows\CurrentVersion\
    Explorer\PINF
  • HKLM\System\CurrentControlSet\Services\WksPatch

oraz następujące wartości kluczy:

  • d3dupdate.exe
  • au.exe
  • OLE

Począwszy od 27 lutego, między godziną 6:00, a 9:00 robak podejmuje próby generowania dźwięków.



 2004-03-02  

© 1997 - 2016 Kaspersky Lab

Wszelkie prawa zastrzeżone.
Lider na rynku rozwišązań antywirusowych