|
Netsky.P worm, highly dangerous
|
 | This variant of Netsky makes use of a vulnerability registered in previous versions of Internet Explorer 6, which does not have to be installed in the PC since it must be constantly updated to try to finish with this threat. |
Name: Worm.W32/Netsky.P
Type: Internet Word.
Plataform: [W32] - Windows portable executable of 32 bits: 95, 98, Me, NT, 2000, XP y 2003.
Main diffusion mechanism: [P2P+MM] – It spreads throughout the P2P networks and e-mail.
Shape (bytes): 29568
When running for the first time, it generates a mutex or indicator object to avoid running more than once:
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
It creates a copy of itself and other components in the folder where Windows is installed:
FVProtect.exe (The worm)
userconfig9x.dll
base64.tmp
zip1.tmp
zip2.tmp
zip3.tmp
zipped.tmp
The files with extensions .tmp are code versions of the compressed malware in zip.
It modifies the following code of the registry to restart its operations together with Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It modifies said entry with the value:
“Norton Antivirus AV”=“%Windir%\FVProtect.exe”
There follows the values of the different register entries removed:
In the entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Removed entries:
Explorer
system
msgsvr32
winupd.exe
direct.exe
jijbl
serviceSentry
In the entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Removed entries:
system
Video
In the entry:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Removed entries:
Explorer
au.exe
direct.exe
d3dupdate.exe
OLE
gouday.exe
rate.exe
Taskmon
Windows Services Host
sysmon.exe
srate.exe
ssate.exe
winupd.exe
Other entries are completely removed:
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch |
HKEY_CLASSES_ROOT\CLSID\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
Netsky.P can generate copies of itself in various files as one of the following files:
Kazaa Lite 4.0 new.exe
Britney Spears Sexy archive.doc.exe
Kazaa new.exe
Britney Spears porn.jpg.exe
Harry Potter all e.book.doc.exe
Britney sex xxx.jpg.exe
Harry Potter 1-6 book.txt.exe
Britney Spears blowjob.jpg.exe
Harry Potter e book.doc.exe
Britney Spears cumshot.jpg.exe
Harry Potter.doc.exe
Britney Spears fuck.jpg.exe
Harry Potter game.exe
Britney Spears.jpg.exe
Harry Potter 5.mpg.exe
Britney Spears and Eminem porn.jpg.exe
Matrix.mpg.exe
Britney Spears Song text archive.doc.ex...
Britney Spears full album.mp3.exe
Eminem.mp3.exe
Britney Spears.mp3.exe
Eminem Song text archive.doc.exe
Eminem Sexy archive.doc.exe
Eminem full album.mp3.exe
Eminem Spears porn.jpg.exe
Ringtones.mp3.exe
Eminem sex xxx.jpg.exe
Ringtones.doc.exe
Eminem blowjob.jpg.exe
Altkins Diet.doc.exe
Eminem Poster.jpg.exe
American Idol.doc.exe
Cloning.doc.exe
Saddam Hussein.jpg.exe
Arnold Schwarzenegger.jpg.exe
Windows 2003 crack.exe
Windows XP crack.exe
Adobe Photoshop 10 crack.exe
Microsoft WinXP Crack full.exe
Teen Porn 15.jpg.pif
Adobe Premiere 10.exe
Adobe Photoshop 10 full.exe
Best Matrix Screensaver new.scr
Porno Screensaver britney.scr
Dark Angels new.pif
XXX hardcore pics.jpg.exe
Microsoft Office 2003 Crack best.exe
Serials edition.txt.exe
Screensaver2.scr
Full album all.mp3.pif
Ahead Nero 8.exe
netsky source code.scr
E-Book Archive2.rtf.exe
Doom 3 release 2.exe
How to hack new.doc.exe
Learn Programming 2004.doc.exe
WinXP eBook newest.doc.exe
Win Longhorn re.exe
Dictionary English 2004 - France.doc.ex...
RFC compilation.doc.exe
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
Keygen 4 all new.exe
Windows 2000 Sourcecode.doc.exe
Norton Antivirus 2005 beta.exe
Gimp 1.8 Full with Key.exe
Partitionsmagic 10 beta.exe
Star Office 9.exe
Magix Video Deluxe 5 beta.exe
Clone DVD 6.exe
MS Service Pack 6.exe
ACDSee 10.exe
Visual Studio Net Crack all.exe
Cracks & Warez Archiv.exe
WinAmp 13 full.exe
DivX 8.0 final.exe
Opera 11.exe
Internet Explorer 9 setup.exe
Smashing the stack full.rtf.exe
Ulead Keygen 2004.exe
Lightwave 9 Update.exe
The Sims 4 beta.exe
It scans all units of the Disc from the Hard Drive: to the Z: In search for e-mail addresses to be resent with it SMTP engine. The files searched have the following extensions:
.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml
Read more...
|
News 
