[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

jayjwa jayjwa at atr2.ath.cx
Fri Feb 20 15:24:50 GMT 2004

On Thu, 19 Feb 2004, Jon R. Kibler wrote:

> jayjwa wrote:
> <SNIP!>
> > And we've also got a good idea of how it auto-starts on each boot-up. I
> > swear, there must be a templet or auto-generator for these things on the
> > loose someplace. Has anyone noticed that this last batch of virus/worms
> > all are fundimently the same?
> >
> <SNIP!>
> Why are they fundamentally the same? I don't think it is a template or
> worm generator. I really think that a very few individuals working for
> spammers, or even a spammer organization itself, is responsible. Thus,
> the similarity. I mean these organizations are even running "Help Wanted"
> ads for virus writers -- offering 6-figure salaries (USD) at offshore
> locations.

Can you post one of these ads?

> Let's face it... almost all of the recent worms pass the "duck test" for
> spammer originated. What other conclusion can we draw?

That there's an automated tool of some sort, like the VB worm generator of
old, and the one that created the "Anna Kornikova" (sp?) virus. Such tools
exist, and can be readily downloaded from the Internet, found by plugging
in "virus creation" or "worm generator" into your favorite search engine.
In less than 20 minutes, anyone with one of these tools can create a
mass-mailer very similar to what we are seeing here. In fact, this already
did happen, before, with something called "Vbswg". Search for "K virii" at
google, about 1/2 page down. Automated tools = tons of worms released by
"virus writers" that normally won't be able to. That the last few worms
have much in common lends credibility to the theory.
I don't see enough solid evidence to link this to spammers. How are they
profitting? Not by someone's computer having a virus. If we saw these
infected machines being remote-controlled to send out ads for Viagra and
such, then I'd be inclined to belive it; but that's not what's happening.
It makes a nice explaination- unfortunately there's little or no solid,
tangible evidence of such operations. Only speculation, as far as I've
seen. If I'm wrong, I'd like to see the articles or proof that supports
the notion that this latest batch of worms are by and for the benefit of

%jayjwa%  RLF#37    "Gnu for ALL. SCO Never."
PGP Key-Fetch: B628B851
   Jung xvaqn jnpxb qrpbqrf ebg13 sebz fvtf ?

More information about the list mailing list