[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

jayjwa jayjwa at atr2.ath.cx
Thu Feb 19 08:54:25 GMT 2004



On Wed, 18 Feb 2004, Erik van Straten wrote:

> 008150  20 54 4F 3A 20 3C 00 00 3E 0D 0A 00 4D 41 49 4C   TO: <..>...MAIL
> 008160  20 46 52 4F 4D 3A 20 3C 00 00 00 00 32 00 00 00   FROM: <....2...
> 008170  48 45 4C 4F 20 00 00 00 2E 7A 69 70 00 00 00 00  HELO ....zip....
> 008180  5C 00 00 00 73 68 61 72 69 6E 67 00 73 68 61 72  \...sharing.shar
> 008190  65 00 00 00 5C 2A 2E 2A 00 00 00 00 53 4F 46 54  e...\*.*....SOFT
> 0081A0  57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57  WARE\Microsoft\W
> 0081B0  69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65  indows\CurrentVe
> 0081C0  72 73 69 6F 6E 5C 52 75 6E 53 65 72 76 69 63 65  rsion\RunService
> 0081D0  73 00 00 00 73 79 73 74 65 6D 2E 00 4B 61 73 70  s...system..Kasp
> 0081E0  65 72 73 6B 79 41 76 00 45 78 70 6C 6F 72 65 72  erskyAv.Explorer
> 0081F0  00 00 00 00 43 4C 53 49 44 5C 7B 45 36 46 42 35  ....CLSID\{E6FB5
> 008200  45 32 30 2D 44 45 33 35 2D 31 31 43 46 2D 39 43  E20-DE35-11CF-9C
> 008210  38 37 2D 30 30 41 41 30 30 35 31 32 37 45 44 7D  87-00AA005127ED}
> 008220  5C 49 6E 50 72 6F 63 53 65 72 76 65 72 33 32 00  \InProcServer32.
> 008230  54 61 73 6B 6D 6F 6E 00 73 65 72 76 69 63 65 00  Taskmon.service.
> 008240  53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F  SOFTWARE\Microso
> 008250  66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65  ft\Windows\Curre
> 008260  6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 00 00 00  ntVersion\Run...
> 008280  2E 65 78 65 00 00 00 00 54 68 65 20 66 69 6C 65  .exe....The file
> 008290  20 63 6F 75 6C 64 20 6E 6F 74 20 62 65 20 6F 70   could not be op
> 0082A0  65 6E 65 64 21 00 00 00 45 72 72 6F 72 00 00 00  ened!...Error...


And we've also got a good idea of how it auto-starts on each boot-up. I
swear, there must be a templet or auto-generator for these things on the
loose someplace. Has anyone noticed that this last batch of virus/worms
all are fundimently the same?


	-base64 encoded
	-Arrives as a .ZIP
	-Contains an .EXE, occasionally "stealth" named (message.txt.exe)
	-UPX compressed
	-HKLM \InProcServer32 Taskmon.server
	 \Software\Microsoft\Windows\CurrentVerion\Run (insert virus)
	-all mass-mailers
	-short life span (ie, spread rapidly, then rapidly go extinct)
	-Dumb email message/Bad English/Incorrect Syntax in the
	 fake mail message.
	-No real payload beyond replication, in most cases


> 0082B0  73 6B 79 6E 65 74 40 73 6B 79 6E 65 74 2E 64 65  skynet at skynet.de
> 0082C0  00 00 00 00 41 64 6D 53 6B 79 6E 65 74 4A 6B 6C  ....AdmSkynetJkl
> 0082D0  53 30 30 33 00 00 00 00 00 00 00 00 00 00 00 00  S003............

							^^^^^^^^^
							Skynet is an ISP
that was over-run with the Sober worm some time ago. Someone sent me an
early copy of what later turned out to be this worm. I also remember
seeing "skynet" in the body of other worms. Probably unrelated, but
nevertheless, interesting. None of the new worms have reached me yet here.


-- 
=============================================
%jayjwa%  RLF#37    "Gnu for ALL. SCO Never."
Vx_Labs Research Group @ Atr2
PGP Key-Fetch: B628B851
   Jung xvaqn jnpxb qrpbqrf ebg13 sebz fvtf ?
---------------------------------------------




More information about the list mailing list