[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

Carboni, Chris ccarboni at azerty.com
Thu Feb 19 13:43:54 GMT 2004


Yes, I have.  And I think it's only going to get worse.

Eventually, they won't have such a short lifespan, and will have a more
damaging payload

Sometimes it seems as though there is a battle or war going on between virus
writers, hacking groups, whatever, and our systems are the battleground(s).

~Chris


-----Original Message-----
From: jayjwa [mailto:	] 
Sent: Thursday, February 19, 2004 3:54 AM
To: General DShield Discussion List
Subject: Re: [Dshield] new Netsky.b virus - quick analysis (incl. hexdump)



Has anyone noticed that this last batch of virus/worms
all are fundimently the same?


	-base64 encoded
	-Arrives as a .ZIP
	-Contains an .EXE, occasionally "stealth" named (message.txt.exe)
	-UPX compressed
	-HKLM \InProcServer32 Taskmon.server
	 \Software\Microsoft\Windows\CurrentVerion\Run (insert virus)
	-all mass-mailers
	-short life span (ie, spread rapidly, then rapidly go extinct)
	-Dumb email message/Bad English/Incorrect Syntax in the
	 fake mail message.
	-No real payload beyond replication, in most cases




More information about the list mailing list