My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Netsky.T@mm

MEDIUM
MEDIUM
18.432 bytes (modified&packed UPX ), ~50K unpacked

Symptoms

Presence of AntiAv.exe fie in %SystemRoot% folder (e.g. in c:\Windows)

Presence of string "EasyAV" in startup registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run", that points to "%SystemRoot%\EasyAV.exe".

Presence of two identical processes in the task list, none of which can be terminated in the usual manner.

Removal instructions:

Disinfection instructions:
Let BitDefender erase the infected files.

Analyzed By

Mihai Chiriac, Patrick Vicol BitDefender Virus Researchers

Technical Description:

This is the first version of netsky to include a backdoor component.
A compressed and encrypted hardcoded text string exists in the worm body:

"Now we have programmed our backdoor, it cannot be used for spam relaying,only for Skynet distribution,
our advice: educate the users or update the smtp protocol, and heuristics cannot detect Skynet, becauses
numerous scambler, compressors, and protectors exists including programming new features.

Thanks to russia, and thanks to CCC
for support.

09:34 A.M, Russia"

The backdoor component listens on port 6789. If the attacker sends an executable file, the worm will download and execute it immediately.

If the system date is between 14.04.2004 and 23.04.2004, the worm will start a "Denial-Of-Service” attack against several websites: (www.keygen.us, www.freemule.net, www.kazaa.com, www.emule.de, www.cracks.am).