[slikom] win32 netsky q crv. Završni deo
- From: Aleksandar Đurić <gordal@xxxxxxxxxx>
- To: slikom gradimir kragić <slikom@xxxxxxxxxxxxx>
- Date: Mon, 28 Mar 2005 14:14:47 +0200
Po¹tovani, kao ¹to sam i obeæao, evo detaljnih informacija o ovom virusu. Ja
sam obeæao da æu poslati na engleskom, ali setiv¹i se toga koliko mrzim kada
neko pi¹e na engleskom, nije me mrzelo da sednem i prevedem detaljna
obave¹tenja na srpski. Sledi tekst dole
ispod
Win32 netsky q je internet crv koji se ¹iri e-mail porukama, preko p2p mre¾a,
preko deljenih mre¾a, i drugih mre¾nih jedinica.
Va¾no. U sledeæem tekstu simbolièka inkripcija windir je kori¹æena u mesto
fascikle gde je instaliran windows operativni sistem. Naravno, to uzavisi od
sistema do sistema, i od instalacije do instalacije.
Crv je izvr¹ni i ima pribli¾no 29 kilobajta. Sam sebe kopira u windir koristeæi
ime FVProtect.exe.
On dalje kreira file userconfig9x.dll. To je dinamic link library, koja se po
samom nastanku izvr¹ava, i koja ima 26 kilobajta.
Dalje, kada svaki put startujete windows crv kreira u registriju pozivajuæi se
kao norton antivirus. To se sve de¹ava u sledeæem kljuèu registrija.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Novi unos sadr¾i putanju do FVProtect.exe.
Sledeæi registri unosi biæe uklonjeni od strane crva:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssate.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows
Services Host
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jijbl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sentry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video
Ovim putem neki stari crvi mogu biti uklonjeni ako su bili u sistemu. Sledeæi
fajlovi biæe kreirani u windir direktorijumu: base64.tmp, zip1.tmp, zip2.tmp,
zip3.tmp, zipped.tmp.
Oni se takoðe koriste u nekim e-mail porukama.
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
Crv pretra¾uje sve lokalne diskove za direktorijume koji sadr¾e neke od
sledeæih imena i stringova:
bear
donkey
download
ftp
htdocs
http
icq
kazaa
lime
morpheus
mule
my shared folder
shar
shared files
upload
Crv se tada tamo kopira, koristeæi sledeæa imena:
1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe
Ovo ukljuèuje moguænost ¹irenja p2p mre¾om ili deljenom mre¾om.
Fajlovi koji su gore na listi obièno tra¾e sledeæe extenzije po raèunaru:
.adb
.asp
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.msg
.oft
.php
.pl
.rtf
.sht
.shtm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xml
Win32 netsky q e-mail adrese sa koje se poruka navodno ¹alje vadi iz fajlova.
To su adrese koje od prilike poèinju ili u sebi sadr¾e sledeæe stringove:
@antivi
@avp
@bitdefender
@f-pro
@f-secur
@fbi
@freeav
@kaspersky
@mcafee
@messagel
@microsof
@norman
@norton
@pandasof
@skynet
@sophos
@spam
@symantec
@viruslis
abuse@
noreply@
ntivir
reports@
spam@
Poruke koje se koriste za ¹irenje crva su slo¾ene koristeæi duge liste
stringova. Adrese po¹aljaoca se me¹aju, i mogu biti adrese zara¾enih raèunara,
ili adrese koje crv odabere kao najpoznatije. To su:
abuse@xxxxxx
noreply@xxxxxxxxxx
support@xxxxxxxxxxxx
Tema - subject poruke, je odabrana iz sledeæe liste:
-do0-i4grjj40j09gjijgp
0i09u5rug08r89589gjrg
Administrator
approved
Congratulations!
corrected
Do you?
Does it matter?
Error
Fwd: Warning again
Hello
hello
here
Hi
hi
I cannot forget you!
I love you!
Illegal Website
important
Important m$6h?3p
improved
Information
Internet Provider Abuse
Is that your password?
Mail Account
Mail Authentication
Mail Delivery (failure %s)
Mail Delivery (failure)
News
Notice again
patched
Postcard
Private document
Protected Mail System
Re:
Re: A!p$ghsa
Re: Administration
Re: Approved document
Re: Bad Request
Re: Delivery Protection
Re: Delivery Server
Re: Developement
Re: Encrypted Mail
Re: Error
Re: Error in document
Re: Extended Mail
Re: Extended Mail System
Re: Failure
Re: Free porn
Re: Hello
Re: Hi
Re: Is that your document?
Re: Its me
Re: Mail Authentification
Re: Mail Server
Re: Message
Re: Message Error
Re: Notify
Re: Old photos
Re: Old times
Re: Order
Re: Proof of concept
Re: Protected Mail Delivery
Re: Protected Mail Request
Re: Protected Mail System
Re: Question
Re: Re:
Re: Request
Re: Sample
Re: Secure delivery
Re: Secure SMTP Message
Re: Sex pictures
Re: SMTP Server
Re: Status
Re: Submit a Virus Sample
Re: Test
Re: Thank you for delivery
Re: Virus Sample
Re: Your document
read it immediately
Shocking document
Spam
Spamed?
Stolen document
Thank you!
thanks!
You cannot do that!
Your day
Telo poruke obièno sadr¾i sledeæe poruke, mada mo¾e biti i prazno:
9u049u89gh89fsdpokofkdpbm3-4i
Are you a spammer? (I found your email on a spammer website!?!)
Authentication required.
Bad Gateway: The message has been attached.
Best wishes, your friend.
Binary message is available.
Can you confirm it?
Congratulations!, your best friend.
Delivered message is attached.
Do not visit this illegal websites!
Encrypted message is available.
ESMTP [Secure Mail System #334]: Secure message is attached.
First part of the secure mail is available.
Follow the instructions to read the message.
For further details see the attachment.
For more details see the attachment.
Forwarded message is available.
Greetings from france, your friend.
Have a look at these.
Here is it!
Here is my icq list.
Here is my phone number.
Here is the website. ;-)
I am shocked about your document!
I cannot believe that.
I found this document about you.
I have attached it to this mail.
I have attached the sample.
I have attached your document.
I have attached your file. Your password is jkl44563.
I have corrected your document.
I have received your document. The corr
I have received your document. The corrected document is attached
I have visited this website and I found you in the spammer list. Is that true?
I hope the patch works.
I hope you accept the result!
I noticed that you have visited illegal websites. See the name in the list!
Important message, do not show this anyone!
Let§us be short: you have no experience in writing letters!!!
lovely, :-)
Message has been sent as a binary attachment.
Monthly news report.
My favourite page.
New message is available.
Now a new message is available.
Partial message is available.
Please answer quickly!
Please authenticate the secure message.
Please confirm my request.
Please confirm the document.
Please confirm!
Please r564g!he4a56a3haafdogu#mfn3o
<SMTP Error #201>
Please read the attached file!
Please read the attached file.
Please read the attachment to get the message.
Please read the document.
Please read the important document.
Please see the attached file for details.
po44u90ugjid-k9z5894z0
Protected Mail System Test.
Protected message is attached.
Protected message is available.
Requested file.
Secure Mail System Beta Test.
See the file.
See the ghg5%&6gfz65!4Hf55d!46gfgf
<Server Error #203>
SMTP: Please confirm the attached message.
Thank you for your request, your details are attached!
Thanks!
The file is protected with the password ghj001.
The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.
Best Regards,
Keria Reynolds
The sample is attached!
Try this game ;-)
Try this, or nothing!
Waiting for a Response. Please read the attachment.
Waiting for authentification.
You got a new message.
You have downloaded these illegal cracks?.
You have received an extended message. Please read the instructions.
You have visited illegal websites. I have a big list of the websites you surfed.
You have written a very good text, excellent, good work!
You were registered to the pay system. For more details see the attachment.
Your archive is attached.
your big love, ;-)
Your bill is attached to this mail.
Your details.
Your document is attached to this mail.
Your document is attached.
Your document.
Your file is attached.
Your important document, correction is finished!
Your mail account has been closed. For further details see the document.
Your mail account is expired. See the details to reactivate it.
Your photo, uahhh.... , you are naked!
Your requested mail has been attached.
Na dnu poruke pi¹e: atachment: No virus found. A onda neki od poznatih
antivirusnih sistema:
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ MC-Afee AntiVirus - www.mcafee.com
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Panda AntiVirus - www.pandasoftware.com
++++ F-Secure AntiVirus - www.f-secure.com
++++ Norman AntiVirus - www.norman.com
++++ Norton AntiVirus - www.symantec.de
Ime ataèmenta je oobièno neko iz dole prilo¾ene liste, mada ponekad zna da bude
i ime neke grupe ili liste.
about_you
abuselist
abuses
abuse_list
all_doc01
all_in_all
application
approved
approved
archive
attach
bill
confirm
corrected
d4334938
data
data02
data20
datfiles
detail3
details
details03
details05
doc01
document
document01
document04
document05
document07
document09
document342
document43
document_all
document_all02c
document_with_notice
doc_word3
email
encrypted_msg01
excel document
file
game
game_xxo
id04009
id09509
id43342
important
important
improved
info02
information
judge
letter
letter32
letter43
list
list_ed
mails9
message
msg
my
my_details
my_list01
my_numbers
news01
old_photos
part6
part_01
patch3425
pgp_sess01
photo
postcard
priv
private_01
product
pwd02
readme
report01
sample01
screensaver
signature
software
story
summary2004
text
text01
website
websitelist01
websites01
websites03
word document
word_doc
www.freeporn4all
www.myx4free
your
your_doc
your_document
Ataèment obièno bude u obliku zip arhive ili je izvr¹an. Ako je izvr¹an, onda
najèe¹æe ima extenzije .exe, .scr, ili .pif.
Ako je zip arhiva, onda ima extenziju .zip, i u njoj se nalazi izvr¹ni file
koji mo¾e da ma obièno 3 imena:
document.txt .exe
data.rtf .scr
details.txt .pif
Ovaj crv ima jake veze sa crvom win32 balge i smatra se da su ga pravili isti
autori. Nod32 ga uspe¹no detektuje od verzije baze virusnih definicija 1.65.
Za prijavu na ovu listu poslati poruku na adresu:
slikom-request@xxxxxxxxxxxxx i u polju za tekst upisati, subscribe
Za odjavu sa ove liste poslati poruku na adresu:
slikom-request@xxxxxxxxxxxxx i u polju za tekst upisati, unsubscribe
Other related posts:
- » [slikom] win32 netsky q crv. Završni deo