[W32/Netsky-P]
[Leírás]

Egyéb neve:
Win32/Netsky.Q, WORM_NETSKY.P

Típus:
Win32 féreg

W32/Netsky-P egy e-maileken keresztül terjedõ vírus, mely saját magát küldi szét az interneten az összes olyan címre mely a számítógépen található, a címjegyzékben, vagy bármely file-ban.

A vírus a Windows könyvtárba másolja magát FVProtect.exe néven, a következõ registry bejegyzéssel éri el azt, hogy minden Windows induláskor elinduljon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
= <Windows>\FVProtect.exe

A vírus ezen kívül a filemegosztó programok megosztott könyvtáraiban másolja magát a következõ fileok valamelyikén:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Netsky-P vírus a következõ file típusokban keresi az e-mail címeket:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.

A vírus rendelkezik egy indítási dátummal, mely dátumtól elkezdi magát szétszorni e-mailen keresztül.

Az e-mailek következõ képpen néznek ki (nem az összes verzió látható itt):
Tárgy a következõkbõl választódik ki:-
Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Az üzenet szövege pedig a következõkbõl állhat:

Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

A csatolt file leírása a következő lehet:

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

followed by -

<csatolt file>:

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Csatolt file:
<file név>_ <címzett neve>.<kiterjesztés>

<filenév> a következõkbõl választódik ki:

document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document

<kiterjesztés> a következõ lehet:

EXE
SCR
PIF
ZIP

W32/Netsky-P megpróbálja a W32/Mydoom és W32/Bagle férgek registry bejegyzéseit törölni.

W32/Netsky-P sok temporális filet készít a Windows könyvtárban: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.

Forrás: www.sophos.com
fordítva: {Dudu}