Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    New ErrTraffic service enables ClickFix attacks via fake browser glitches

Featured Deal: This PDF editor alternative is only $40 for a lifetime subscription

Latest Buyer's Guide:     Best VPNs in 2025

Generic User Avatar

NetSky.V - More innovation

Started by harrywaldron , Apr 15 2004 05:41 PM

  • Please log in to reply
No replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Avatar image
  • Members
  • 509 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:03:19 AM

Posted 15 April 2004 - 05:41 PM

Netsky.V is a new variant that uses HTML scripting and unpatched MS exploits to spread rather than email attachments. Thankfully, it's low risk, but I did a double take when I looked at the flowchart below and the sophisticated of it's design. This is more of an FYI than actual threat and I hope it remains that way.

NETSKY.V Informaton
http://vil.nai.com/vil/content/v_101175.htm
http://www.symantec.com/avcenter/venc/data...etsky.v@mm.html
http://www.trendmicro.com/vinfo/virusencyc...e=WORM_NETSKY.V

This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

* infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
* harvests email addresses from the victim machine
* spoofs the To: and From: address of messages
* opens a port on the victim machine (TCP 5556 & 5557)
* delivers a DoS attack on certain web sites upon a specific date condition


EMAIL TO AVOID OR BLOCK (this uses URLs and not attachments)

From:

To:

Subject: (any of the following)

·Gateway Status Failure
·Mail delivery failed
·Mail Delivery Sytem failure
·Server Status failure

Message body: (any of the following)

·Converting message. Please wait....
·Please wait while converting the message...
·Please wait while loading failed message...
·The processing of this message can take a few minutes...



MICROSOFT SECURITY BULLETINS - THAT HELP TO PREVENT INFECTION

Netsky.V relies on several unpatched vulnerablies as noted below:

http://www.microsoft.com/technet/security/...n/MS99-032.mspx
http://www.microsoft.com/technet/security/...n/MS03-032.mspx
http://www.microsoft.com/technet/security/...n/MS03-040.mspx


HOW NETSKY.V INFECTS A SYSTEM

Posted Image

Step 1. W32.Netsky.V@mm constructs the message body using the Microsoft Internet Explorer XML Page Object Type Validation Vulnerability (CAN-2003-0809 / Microsoft Security Bulletin MS03-040). Successful exploitation of this vulnerability could allow a malicious object to be trusted and as such be installed and executed on the local system. The composed email body contains the object that points to the following source:

data=http://%INFECTED_COMPUTER_IP%:5557/index.html

Step 2. As a result, the victim computer will query the index.html page from the HTTP server, that is installed on the infected computer and listens on port 5557.

Step 3. Once the HTTP server accepts incoming connection, it will forge an HTML-page that exploits the Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability (CVE-1999-0668 / Microsoft Security Bulletin MS99-032).

Step 4. The code contained in the viral index.html file will run the ftp.exe to connect to the FTP server, listening on port 5556 on the infected computer, and query the worm executable.

Step 5. The worm executable will be retrieved and executed locally.
Microsoft Security Journal

BC AdBot (Login to Remove)

 

Back to Anti-Virus, Anti-Malware, and Privacy Software


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Anti-Virus, Anti-Malware, and Privacy Software
  4. Privacy Policy
  5. Rules ·