[Dshield] NetSky observation

Paul Marsh pmarsh at nmefdn.org
Thu Feb 19 14:26:01 GMT 2004 

Below are the technical specs regarding NetSky.B from TrendMicros site.
I know the word "good" and worm don't go well but it really looks like
NetSky has done what it was created to do.  Mydoom was slated to die on
what the 12th and because of system clocks being off it might be around
for awhile.  I was still seeing 200+ a day Mydooms up until the 17th and
a few hundred Bagle.B's also.  NetSky.B hits and now it's the quietest
I've seen it in a long time.  Yesterday 5 viri stopped at my perimeter
today it's stopped 2. How is everyone else making out, has it quieted
down?  I read some where (can't remember where) that it's possible that
NetSky was created by an AV insider?  Is NetSky a good worm or are we
just waiting for the second shoe to drop?

Thanx, Paul

WORM_MYDOOM and WORM_MIMAIL.T Retaliation 

This worm deletes the following registry entries to prevent the
execution of WORM_MYDOOM.A at every startup: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
Taskmon

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
Taskmon

It does the same for the following autorun registry entries of
WORM_MYDOOM.B: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
Explorer

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
Explorer

It further deletes the following known autorun registry entry of the two
MYDOOM variants: 

HKEY_CLASSES_ROOT\CLSID\{E6FB5E20-DE35-11CF-9C87-
00AA005127ED}\InProcServer32

This worm also prevents the execution of WORM_MIMAIL.T at every system
startup by removing the following autorun registry entry: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
KasperskyAv

It deletes the following registry entries, which are possibly utilized
by other malware as autostart entries: 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
system

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
CurrentVersion\Run 
system

WORM_MYDOOM.A, WORM_MYDOOM.B, and WORM_MIMAIL.T are known to create the
described registry entries. The entries, however, may be created by
other applications that would also be affected by this worm. 

Other Details 

This malware creates the mutex AdmSkynetJklS003 to signify its presence
in memory. 



------------------------------------------------------------------------
--------
Analysis by: Daniel M. Biado



 

Description created: Feb. 18, 2004 
Description updated: 24 hours, 41 minutes ago
(Feb. 18, 2004 5:20:48 AM GMT -0800)

More information about the list mailing list