[Dshield] NetSky observation
Paul Marsh
pmarsh at nmefdn.org
Thu Feb 19 14:26:01 GMT 2004
Below are the technical specs regarding NetSky.B from TrendMicros site.
I know the word "good" and worm don't go well but it really looks like
NetSky has done what it was created to do. Mydoom was slated to die on
what the 12th and because of system clocks being off it might be around
for awhile. I was still seeing 200+ a day Mydooms up until the 17th and
a few hundred Bagle.B's also. NetSky.B hits and now it's the quietest
I've seen it in a long time. Yesterday 5 viri stopped at my perimeter
today it's stopped 2. How is everyone else making out, has it quieted
down? I read some where (can't remember where) that it's possible that
NetSky was created by an AV insider? Is NetSky a good worm or are we
just waiting for the second shoe to drop?
Thanx, Paul
WORM_MYDOOM and WORM_MIMAIL.T Retaliation
This worm deletes the following registry entries to prevent the
execution of WORM_MYDOOM.A at every startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
Taskmon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
Taskmon
It does the same for the following autorun registry entries of
WORM_MYDOOM.B:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
Explorer
It further deletes the following known autorun registry entry of the two
MYDOOM variants:
HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32
This worm also prevents the execution of WORM_MIMAIL.T at every system
startup by removing the following autorun registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
KasperskyAv
It deletes the following registry entries, which are possibly utilized
by other malware as autostart entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
system
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
system
WORM_MYDOOM.A, WORM_MYDOOM.B, and WORM_MIMAIL.T are known to create the
described registry entries. The entries, however, may be created by
other applications that would also be affected by this worm.
Other Details
This malware creates the mutex AdmSkynetJklS003 to signify its presence
in memory.
------------------------------------------------------------------------
--------
Analysis by: Daniel M. Biado
Description created: Feb. 18, 2004
Description updated: 24 hours, 41 minutes ago
(Feb. 18, 2004 5:20:48 AM GMT -0800)
More information about the list
mailing list