2 marca 2004

I-Worm.Netsky.c - generuje dźwięki

Jest to robak internetowy rozprzestrzeniający się jako załącznik zainfekowanych wiadomości e-mail. Ma postać pliku PE EXE o rozmiarze około 23 KB (kompresja Petite, rozmiar po rozpakowaniu - około 29 KB).

Instalacja

Robak kopiuje się z nazwą winlogon.exe do folderu Windows i tworzy w rejestrze systemowym klucz auto-run:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ICQ Net" = "%Folder Windows%\winlogon.exe -stealth"

W celu oznaczenia zainfekowanego komputera robak tworzy w pamięci unikatowy identyfikator [SkyNet.cz]SystemsMutex.

Szkodnik tworzy własne kopie na dyskach od C: do Z: w folderach, których nazwy zawierają słowo share. Nazwy kopii są wybierane z poniższej listy:

  • Adobe Premiere 9.exe
  • Adobe Photoshop 9 full.exe
  • Ahead Nero 7.exe
  • Microsoft WinXP Crack.exe
  • Teen Porn 16.jpg.pif
  • Best Matrix Screensaver.scr
  • Porno Screensaver.scr
  • Dark Angels.pif
  • 3D Studio Max 3dsmax.exe
  • Keygen 4 all appz.exe
  • Windows Sourcecode.doc.exe
  • Norton Antivirus 2004.exe
  • Gimp 1.5 Full with Key.exe
  • Partitionsmagic 9.0.exe
  • Star Office 8.exe
  • XXX hardcore pic.jpg.exe
  • Microsoft Office 2003 Crack.exe
  • Serials.txt.exe
  • Screensaver.scr
  • Full album.mp3.pif
  • Virii Sourcecode.scr
  • E-Book Archive.rtf.exe
  • Doom 3 Beta.exe
  • How to hack.doc.exe
  • Learn Programming.doc.exe
  • WinXP eBook.doc.exe
  • Win Longhorn Beta.exe
  • Dictionary English - France.doc.exe
  • RFC Basics Full Edition.doc.exe
  • 1000 Sex and more.rtf.exe
  • Magix Video Deluxe 4.exe
  • Clone DVD 5.exe
  • MS Service Pack 5.exe
  • ACDSee 9.exe
  • Visual Studio Net Crack.exe
  • Cracks & Warez Archive.exe
  • WinAmp 12 full.exe
  • DivX 7.0 final.exe
  • Opera.exe
  • IE58.1 full setup.exe
  • Smashing the stack.rtf.exe
  • Ulead Keygen.exe
  • Lightwave SE Update.exe
  • The Sims 3 crack.exe

Szkodnik tworzy także własne kopie w formacie ZIP.

Rozprzestrzenianie

Adresy ofiar pobierane są z plików posiadających następujące rozszerzenia:

  • EML
  • TXT
  • PHP
  • PL
  • HTM
  • HTML
  • VBS
  • RTF
  • UIN
  • ASP
  • WAB
  • DOC
  • ADB
  • TBB
  • DBX
  • SHT
  • OFT
  • MSG
  • SHTM
  • CGI
  • DHTM

Robak wysyła zainfekowane wiadomości e-mail przy użyciu własnego silnika SMTP, a także podejmuje próby dystrybuowania się za pośrednictwem następujących serwerów SMTP:

  • 62.155.255.16
  • 145.253.2.171
  • 151.189.13.35
  • 193.141.40.42
  • 193.189.244.205
  • 193.193.144.12
  • 193.193.158.10
  • 194.25.2.129
  • 194.25.2.130
  • 194.25.2.131
  • 194.25.2.132
  • 194.25.2.133
  • 194.25.2.134
  • 195.185.185.195
  • 195.20.224.234
  • 212.7.128.162
  • 212.7.128.165
  • 212.44.160.8
  • 212.185.253.70
  • 212.185.252.73
  • 212.185.252.136
  • 213.191.74.19
  • 217.5.97.137

Zainfekowane wiadomości e-mail

Zainfekowane wiadomości posiadają następujące pola:

  • Temat:

    • Delivery Failed
    • Status
    • report
    • question
    • trust me
    • hey
    • Re: excuse me
    • read it immediatelly
    • hi
    • Re: does it?
    • Yep
    • important
    • hello
    • dear
    • Re: unknown
    • fake?
    • warning
    • moin
    • what's up?
    • info
    • Re: information
    • Here is it
    • stolen
    • private?
    • good morning
    • illegal...
    • error
    • take it
    • re:
    • Re: Re: Re: Re:
    • you?
    • something for you
    • exception
    • Re: hey
    • excuse me
    • Re: hi
    • Re: does it?
    • Re: important
    • Re: hello
    • believe me
    • Question
    • denied!
    • notification
    • Re: <5664ddff?$???2>
    • lol
    • last chance!
    • I'm back!
    • its me
    • notice!

    Temat może być także pusty.

  • Treść:

    • what means that?
    • help attached
    • <...>
    • ok...
    • pwd?
    • I wait for an answer!
    • abuse?
    • is that yours?
    • you are a bad writer
    • I don't know your document!
    • I have your password!
    • you won the rk!
    • something about you!
    • classroom test of you?
    • kill the writer of this document!
    • old photos about you?
    • i hope thats not true!
    • your name is wrong!
    • does it match?
    • i found this document about you.
    • time to fear?
    • really?
    • do you know this????
    • i know your document!
    • did you sent it to me?
    • this file is bad!
    • why should I?
    • pages?
    • her.
    • another pic, have fun! ... :->
    • test it
    • child porn?
    • greetings
    • doc?
    • trial?
    • what?
    • ;-)
    • i need you!
    • correct it!
    • see this!
    • it's a secret!
    • this is nothing for kids!
    • it's so similar as yours!
    • is that your car?
    • do not give up!
    • great job!
    • here is the $%%454$
    • you are sexy in this doc!
    • incest?
    • let it!
    • you look like an ape!
    • you look like an rat?
    • be mad?
    • are you cranky?
    • bob the builder
    • did you know that?
    • money?
    • xxx ?
    • stuff about you?
    • your document is not good
    • something is going wrong!
    • your photo is poor
    • information about you?
    • the information is wrong!
    • doc about me?
    • kill him on the picture!
    • from the chatter (my photo!)
    • from your lover ;-)
    • love letter?
    • here, the serials
    • are you a teacherin the picture?
    • here, the introduction
    • is that criminal?
    • here, the cheats
    • i like your doc!
    • what do you think about it?
    • that's a funny text.
    • that's not the truth?
    • do you have?
    • instruct me about this!
    • i lost that
    • i am speachless about your document!
    • is that the reality?
    • reply
    • msg
    • your design is not good!
    • important?
    • your TAN number?
    • take it easy!
    • why?
    • you are naked in this document!
    • thats wrong!
    • your icq number?
    • i am desperate
    • modifications?
    • your personal record?
    • yes.
    • misc. and so on. see you!
    • your attachment? verify it.
    • you earn money, see the attachment!
    • is that your attachment?
    • is that your website?
    • you feel the same.
    • meaning of that?
    • possible?
    • you have tried to steal!
    • did you ask me for that?
    • you are bad
    • your job? (I found that!)
    • is that possible?
    • something is going ...
    • something is not ok
    • did you know from this document?
    • wrong calculation! (see the attachment!...
    • never!
    • poor quality!
    • good work!
    • excellent!
    • great!
    • i don't think so.
    • pretty pic about you?
    • docs?
    • schoolfriend?
    • Warning from the Government
    • 09580985869gj
    • ?
    • i want more...
    • here is the next one!
    • attachi#
    • did you see her already?
    • is that your wife?
    • is that your creditcard?
    • is that your photo?
    • do you think so?
    • do you have the bug also?
    • already?
    • forgotten?
    • drugs? ...
    • does it matter?
    • i have received this.
    • best?
    • the truth?
    • your body?
    • your eyes?
    • your face?
    • File is self-decryting.
    • File is damaged.
    • File is bad.
    • i saw you last week!
    • xxx service
    • your account is expired!
    • you cannot hide yourself! (see photo)
    • copyright?
    • what still?
    • who?
    • how?
    • bad gateway
    • only encrypted!
    • personal message!
    • my advice....
    • i've found it about you
    • <<>>
    • Attached Msg
    • scanned by norton antivirus
    • great xxx!
    • man or women?
    • child or adult?
    • here is yours!
    • a crazy doc about you
    • xxx about you?
    • i don't want your xxx pics!
    • is that your car?
    • is this information about you?
    • is that your privacy?
    • is that your TAN?
    • is that your message?
    • is that your cd?
    • is that your finger?
    • your are naked?
    • is that your porn pic?
    • is that your work?
    • is that your family?
    • is that your beast?
    • is that your account?
    • is that your slip?
    • is that your domain?
    • are you the naked one?
    • are you the naked person!
    • are you the one?
    • does it belong to you?
    • do you have sex in the picture?
    • that is interesting...
    • i wait for your comment about it.
    • such as yours?
    • read the details.
    • gonna?
    • here is the document.
    • *lol*
    • read it immediately!
    • i found that about you!
    • your hero in the picture?
    • yours?
    • here is it.
    • illegal st. of you?
    • is that true?
    • account?
    • is that your name?
    • picture?
    • message?
    • is that your account?
    • you have a sexy body in the pic!
    • your lie is going around the world!
    • lets talk about it!
    • do you know the thief?
    • are you a photographer?
    • you have done a mistake in the document...
    • its private from me
    • do not show this anyone!
    • new patch is available!
    • this is an attachment message!
    • in your mind?
    • Microsoft
    • fast food...
    • Your bill.
    • try this patch!
    • do you have an orgasm in the picture?
    • Transaction failed. Show the doc!
    • I 've found your bill!
    • see your name!
    • You are infected. Read the details!
    • here is my advice
    • here is my photo!
    • here is the
    • feel free to use it
    • does it belong to you?
    • Login required! Read the attachment!
    • your document is silly!
    • is the pic a fake?
    • Antispam is turned off. See file!
    • Authentification required. Read the att...
    • solve the problem!
    • do not use my document!
    • do not open the attachment!
    • do not visit the pages on the list I se...
    • explain!
    • tell me more about your document!
    • Your provider will be disabled!
    • Instant patches

    Treść wiadomości może również pusta.

  • Nazwa załącznika:

    • part2
    • msg2
    • disco
    • freaky
    • visa
    • party
    • material
    • misc
    • nothing
    • transfer
    • auction
    • warez
    • undefinied
    • violence
    • update
    • masturbation
    • injection
    • naked1
    • naked2
    • tear
    • music
    • paypal
    • document
    • associal
    • msg
    • yours
    • doc
    • wife
    • talk
    • message
    • response
    • creditcard
    • description
    • details
    • attachment
    • pic
    • me
    • trash
    • card
    • stuff
    • poster
    • posting
    • portmoney
    • textfile
    • moonlight
    • concert
    • sexy
    • information
    • news
    • note
    • number_phone
    • bill
    • mydate
    • swimmingpool
    • class_photos
    • product
    • old_photos
    • topseller
    • ps
    • important
    • shower
    • myaunt
    • aboutyou
    • yours
    • nomoney
    • birth
    • found
    • death
    • story
    • worker
    • mails
    • letter
    • more
    • website
    • regards
    • regid
    • friend
    • unfolds
    • jokes
    • doc_ang
    • your_stuff
    • location
    • final
    • schock
    • release
    • webcam
    • dinner
    • intimate stuff
    • sexual
    • ranking
    • object
    • secrets
    • mail2
    • attach2
    • id
    • privacy
    • word_doc
    • image
    • incest

    Załączniki mogą posiadać następujące rozszerzenia:

    • TXT
    • RTF
    • DOC
    • HTM

    w pewnych okolicznościach pojawia się także drugie rozszerzenie (jedno z poniższych):

    • EXE
    • SCR
    • COM
    • PIF

    Szkodnik może także wysyłać swoje kopie w postaci archiwum ZIP file.

Informacje dodatkowe

Robak usuwa z rejestru systemowego następujące klucze:

  • Taskmon
  • Explorer
  • Windows Services Host
  • KasperskyAV
  • System.
  • msgsvr32
  • DELETE ME
  • service
  • Sentry
  • Windows Services Host
  • HKCR\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\
    InProcServer32
  • HKCU\Software\Microsoft\Windows\CurrentVersion\
    Explorer\PINF
  • HKLM\System\CurrentControlSet\Services\WksPatch

oraz następujące wartości kluczy:

  • d3dupdate.exe
  • au.exe
  • OLE

Począwszy od 27 lutego, między godziną 6:00, a 9:00 robak podejmuje próby generowania dźwięków.