Po¹tovani, kao ¹to sam i obeæao, evo detaljnih informacija o ovom virusu. Ja sam obeæao da æu poslati na engleskom, ali setiv¹i se toga koliko mrzim kada neko pi¹e na engleskom, nije me mrzelo da sednem i prevedem detaljna obave¹tenja na srpski. Sledi tekst dole ispod Win32 netsky q je internet crv koji se ¹iri e-mail porukama, preko p2p mre¾a, preko deljenih mre¾a, i drugih mre¾nih jedinica. Va¾no. U sledeæem tekstu simbolièka inkripcija windir je kori¹æena u mesto fascikle gde je instaliran windows operativni sistem. Naravno, to uzavisi od sistema do sistema, i od instalacije do instalacije. Crv je izvr¹ni i ima pribli¾no 29 kilobajta. Sam sebe kopira u windir koristeæi ime FVProtect.exe. On dalje kreira file userconfig9x.dll. To je dinamic link library, koja se po samom nastanku izvr¹ava, i koja ima 26 kilobajta. Dalje, kada svaki put startujete windows crv kreira u registriju pozivajuæi se kao norton antivirus. To se sve de¹ava u sledeæem kljuèu registrija. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Novi unos sadr¾i putanju do FVProtect.exe. Sledeæi registri unosi biæe uklonjeni od strane crva: HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\PINF HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\au.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gouday.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OLE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\srate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssate.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon.exe HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Services Host HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\System. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Video HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DELETE ME HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\direct.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jijbl HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msgsvr32 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sentry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\service HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Taskmon HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\video Ovim putem neki stari crvi mogu biti uklonjeni ako su bili u sistemu. Sledeæi fajlovi biæe kreirani u windir direktorijumu: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp. Oni se takoðe koriste u nekim e-mail porukama. bear donkey download ftp htdocs http icq kazaa lime morpheus mule my shared folder shar shared files upload Crv pretra¾uje sve lokalne diskove za direktorijume koji sadr¾e neke od sledeæih imena i stringova: bear donkey download ftp htdocs http icq kazaa lime morpheus mule my shared folder shar shared files upload Crv se tada tamo kopira, koristeæi sledeæa imena: 1001 Sex and more.rtf.exe 3D Studio Max 6 3dsmax.exe ACDSee 10.exe Adobe Photoshop 10 crack.exe Adobe Photoshop 10 full.exe Adobe Premiere 10.exe Ahead Nero 8.exe Altkins Diet.doc.exe American Idol.doc.exe Arnold Schwarzenegger.jpg.exe Best Matrix Screensaver new.scr Britney sex xxx.jpg.exe Britney Spears and Eminem porn.jpg.exe Britney Spears blowjob.jpg.exe Britney Spears cumshot.jpg.exe Britney Spears fuck.jpg.exe Britney Spears full album.mp3.exe Britney Spears porn.jpg.exe Britney Spears Sexy archive.doc.exe Britney Spears Song text archive.doc.exe Britney Spears.jpg.exe Britney Spears.mp3.exe Clone DVD 6.exe Cloning.doc.exe Cracks & Warez Archiv.exe Dark Angels new.pif Dictionary English 2004 - France.doc.exe DivX 8.0 final.exe Doom 3 release 2.exe E-Book Archive2.rtf.exe Eminem blowjob.jpg.exe Eminem full album.mp3.exe Eminem Poster.jpg.exe Eminem sex xxx.jpg.exe Eminem Sexy archive.doc.exe Eminem Song text archive.doc.exe Eminem Spears porn.jpg.exe Eminem.mp3.exe Full album all.mp3.pif Gimp 1.8 Full with Key.exe Harry Potter 1-6 book.txt.exe Harry Potter 5.mpg.exe Harry Potter all e.book.doc.exe Harry Potter e book.doc.exe Harry Potter game.exe Harry Potter.doc.exe How to hack new.doc.exe Internet Explorer 9 setup.exe Kazaa Lite 4.0 new.exe Kazaa new.exe Keygen 4 all new.exe Learn Programming 2004.doc.exe Lightwave 9 Update.exe Magix Video Deluxe 5 beta.exe Matrix.mpg.exe Microsoft Office 2003 Crack best.exe Microsoft WinXP Crack full.exe MS Service Pack 6.exe netsky source code.scr Norton Antivirus 2005 beta.exe Opera 11.exe Partitionsmagic 10 beta.exe Porno Screensaver britney.scr RFC compilation.doc.exe Ringtones.doc.exe Ringtones.mp3.exe Saddam Hussein.jpg.exe Screensaver2.scr Serials edition.txt.exe Smashing the stack full.rtf.exe Star Office 9.exe Teen Porn 15.jpg.pif The Sims 4 beta.exe Ulead Keygen 2004.exe Visual Studio Net Crack all.exe Win Longhorn re.exe WinAmp 13 full.exe Windows 2000 Sourcecode.doc.exe Windows 2003 crack.exe Windows XP crack.exe WinXP eBook newest.doc.exe XXX hardcore pics.jpg.exe Ovo ukljuèuje moguænost ¹irenja p2p mre¾om ili deljenom mre¾om. Fajlovi koji su gore na listi obièno tra¾e sledeæe extenzije po raèunaru: .adb .asp .cgi .dbx .dhtm .doc .eml .htm .html .jsp .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab .wsh .xml Win32 netsky q e-mail adrese sa koje se poruka navodno ¹alje vadi iz fajlova. To su adrese koje od prilike poèinju ili u sebi sadr¾e sledeæe stringove: @antivi @avp @bitdefender @f-pro @f-secur @fbi @freeav @kaspersky @mcafee @messagel @microsof @norman @norton @pandasof @skynet @sophos @spam @symantec @viruslis abuse@ noreply@ ntivir reports@ spam@ Poruke koje se koriste za ¹irenje crva su slo¾ene koristeæi duge liste stringova. Adrese po¹aljaoca se me¹aju, i mogu biti adrese zara¾enih raèunara, ili adrese koje crv odabere kao najpoznatije. To su: abuse@xxxxxx noreply@xxxxxxxxxx support@xxxxxxxxxxxx Tema - subject poruke, je odabrana iz sledeæe liste: -do0-i4grjj40j09gjijgp 0i09u5rug08r89589gjrg Administrator approved Congratulations! corrected Do you? Does it matter? Error Fwd: Warning again Hello hello here Hi hi I cannot forget you! I love you! Illegal Website important Important m$6h?3p improved Information Internet Provider Abuse Is that your password? Mail Account Mail Authentication Mail Delivery (failure %s) Mail Delivery (failure) News Notice again patched Postcard Private document Protected Mail System Re: Re: A!p$ghsa Re: Administration Re: Approved document Re: Bad Request Re: Delivery Protection Re: Delivery Server Re: Developement Re: Encrypted Mail Re: Error Re: Error in document Re: Extended Mail Re: Extended Mail System Re: Failure Re: Free porn Re: Hello Re: Hi Re: Is that your document? Re: Its me Re: Mail Authentification Re: Mail Server Re: Message Re: Message Error Re: Notify Re: Old photos Re: Old times Re: Order Re: Proof of concept Re: Protected Mail Delivery Re: Protected Mail Request Re: Protected Mail System Re: Question Re: Re: Re: Request Re: Sample Re: Secure delivery Re: Secure SMTP Message Re: Sex pictures Re: SMTP Server Re: Status Re: Submit a Virus Sample Re: Test Re: Thank you for delivery Re: Virus Sample Re: Your document read it immediately Shocking document Spam Spamed? Stolen document Thank you! thanks! You cannot do that! Your day Telo poruke obièno sadr¾i sledeæe poruke, mada mo¾e biti i prazno: 9u049u89gh89fsdpokofkdpbm3-4i Are you a spammer? (I found your email on a spammer website!?!) Authentication required. Bad Gateway: The message has been attached. Best wishes, your friend. Binary message is available. Can you confirm it? Congratulations!, your best friend. Delivered message is attached. Do not visit this illegal websites! Encrypted message is available. ESMTP [Secure Mail System #334]: Secure message is attached. First part of the secure mail is available. Follow the instructions to read the message. For further details see the attachment. For more details see the attachment. Forwarded message is available. Greetings from france, your friend. Have a look at these. Here is it! Here is my icq list. Here is my phone number. Here is the website. ;-) I am shocked about your document! I cannot believe that. I found this document about you. I have attached it to this mail. I have attached the sample. I have attached your document. I have attached your file. Your password is jkl44563. I have corrected your document. I have received your document. The corr I have received your document. The corrected document is attached I have visited this website and I found you in the spammer list. Is that true? I hope the patch works. I hope you accept the result! I noticed that you have visited illegal websites. See the name in the list! Important message, do not show this anyone! Let§us be short: you have no experience in writing letters!!! lovely, :-) Message has been sent as a binary attachment. Monthly news report. My favourite page. New message is available. Now a new message is available. Partial message is available. Please answer quickly! Please authenticate the secure message. Please confirm my request. Please confirm the document. Please confirm! Please r564g!he4a56a3haafdogu#mfn3o <SMTP Error #201> Please read the attached file! Please read the attached file. Please read the attachment to get the message. Please read the document. Please read the important document. Please see the attached file for details. po44u90ugjid-k9z5894z0 Protected Mail System Test. Protected message is attached. Protected message is available. Requested file. Secure Mail System Beta Test. See the file. See the ghg5%&6gfz65!4Hf55d!46gfgf <Server Error #203> SMTP: Please confirm the attached message. Thank you for your request, your details are attached! Thanks! The file is protected with the password ghj001. The sample file you sent contains a new virus version of buppa.k. Please update your virus scanner with the attached dat file. Best Regards, Keria Reynolds The sample is attached! Try this game ;-) Try this, or nothing! Waiting for a Response. Please read the attachment. Waiting for authentification. You got a new message. You have downloaded these illegal cracks?. You have received an extended message. Please read the instructions. You have visited illegal websites. I have a big list of the websites you surfed. You have written a very good text, excellent, good work! You were registered to the pay system. For more details see the attachment. Your archive is attached. your big love, ;-) Your bill is attached to this mail. Your details. Your document is attached to this mail. Your document is attached. Your document. Your file is attached. Your important document, correction is finished! Your mail account has been closed. For further details see the document. Your mail account is expired. See the details to reactivate it. Your photo, uahhh.... , you are naked! Your requested mail has been attached. Na dnu poruke pi¹e: atachment: No virus found. A onda neki od poznatih antivirusnih sistema: +++ Bitdefender AntiVirus - www.bitdefender.com +++ Kaspersky AntiVirus - www.kaspersky.com +++ MC-Afee AntiVirus - www.mcafee.com +++ MessageLabs AntiVirus - www.messagelabs.com +++ Panda AntiVirus - www.pandasoftware.com ++++ F-Secure AntiVirus - www.f-secure.com ++++ Norman AntiVirus - www.norman.com ++++ Norton AntiVirus - www.symantec.de Ime ataèmenta je oobièno neko iz dole prilo¾ene liste, mada ponekad zna da bude i ime neke grupe ili liste. about_you abuselist abuses abuse_list all_doc01 all_in_all application approved approved archive attach bill confirm corrected d4334938 data data02 data20 datfiles detail3 details details03 details05 doc01 document document01 document04 document05 document07 document09 document342 document43 document_all document_all02c document_with_notice doc_word3 email encrypted_msg01 excel document file game game_xxo id04009 id09509 id43342 important important improved info02 information judge letter letter32 letter43 list list_ed mails9 message msg my my_details my_list01 my_numbers news01 old_photos part6 part_01 patch3425 pgp_sess01 photo postcard priv private_01 product pwd02 readme report01 sample01 screensaver signature software story summary2004 text text01 website websitelist01 websites01 websites03 word document word_doc www.freeporn4all www.myx4free your your_doc your_document Ataèment obièno bude u obliku zip arhive ili je izvr¹an. Ako je izvr¹an, onda najèe¹æe ima extenzije .exe, .scr, ili .pif. Ako je zip arhiva, onda ima extenziju .zip, i u njoj se nalazi izvr¹ni file koji mo¾e da ma obièno 3 imena: document.txt .exe data.rtf .scr details.txt .pif Ovaj crv ima jake veze sa crvom win32 balge i smatra se da su ga pravili isti autori. Nod32 ga uspe¹no detektuje od verzije baze virusnih definicija 1.65. Za prijavu na ovu listu poslati poruku na adresu: slikom-request@xxxxxxxxxxxxx i u polju za tekst upisati, subscribe Za odjavu sa ove liste poslati poruku na adresu: slikom-request@xxxxxxxxxxxxx i u polju za tekst upisati, unsubscribe