NETSKY V - New SuperVirus

Fri Apr 16, 2004 9:19 am by Chips

I just found out some news, and seeing as quite a few people are VERY unaware of online threats, and are as slack as anything about updates, may this be a warning to you. Time to update EVERYTHING - Virus scanners, Windows updates, EVERYTHING that you have neglected to do. Start deleting emails that you don't know the origin of, especially tempting ones. If you don't recognise something, then the chances are its NOT a million pound ticket, but either porn spam, or a virus - and with this latest one, you will regret even clicking on it......

For those that DON'T have a virus scanner, there is a company called AVG - who started not long ago, and are offereing a fully functional FREE virus scanner for poeple to download. See here for your free virus scanner.

For windows updates, its start button, then to the all programs expander. Top LEFT hand side, above your "accessories" is a little "section" alone, inside this you will usually see your browser (mine is AOL up there) and also Windows update etc - CLICK on the windows update and download any critical ones! Once installed, RESTART YOUR COMPUTER!!!

Read on, as its more than just a lil ol virus as well - some nasty poeple are out there again

Computer users were facing a vicious double threat today as yet another new supervirus was revealed while a global gang of hackers threatened to bring down the Internet.

The new virus, called Netsky-V, is a next-generation virus that can infect computers even if the user does not open a rogue email.

Previously, viruses only hit PCs if a suspect email was opened and an attachment downloaded.

The nasty Netsky-V version can go to work wrecking computers even if the user only clicks on the subject line of the email.

Meanwhile, another gang of malevolent hackers were warning they intend to cause the Web to grind to a halt next week.

Experts monitoring the Web have detected a co-ordinated attempt to hack into the world’s most powerful supercomputers and server systems in an attempt to cause major disruption across the world.

Massive systems at America’s Stanford University, the San Diego Supercomputer Center, and the US National Center for Atmospheric Research have been targeted in recent days.

One US anti-virus expert said it was believed the computer criminals were attempting to harness the massive power of the supercomputers to bring down Web sites and email systems.

A spokesman for AOL UK said: "Computer hackers and viruses are a significant threat to all Internet users, particularly those on broadband. "Motivations range from simple virtual vandalism to serious commercial gain, so they are a threat we take very seriously. For example, AOL provides free email anti-virus scanning for all members and free firewall software for broadband users as part of its subscription to make it safer for its members when they are online."

Now you are aware, and you have been provided with information on how to protect yourself....you have NO excuse. If you don't care about your own computer, then do it for the others who MIGHT get infected through your pathetic ignorance!

Fri Apr 16, 2004 9:24 am by Indy11

Cheers Chips.

Good to know you're out there trying to keep all of us vigilant.

But I would add one additional note to those "slackers" so to speak.

Slacker's inactions do not only vicitmize themselves. By allowing themselves
to be infected they also become infectious to those who are more vigilant.

So I would add that if you care about how you interact with and affect others, you'll be more careful or else you run the risk of the blame for having caused someone else's problems as well.

Fri Apr 16, 2004 9:25 am by Tawakalna

Wolfy - take note!

Fri Apr 16, 2004 3:24 pm by Arania

oh, crap, looks like im gonna be blocking hotmail and Iprimus until i can upgrade this firewall.
Just downloading all the updates now, oh how fun this is gonna be.

Does anyone know how to block acess to programs on WinXP?

Fri Apr 16, 2004 3:41 pm by Chips

Some more info, currently low profile virus (ie - not many know about it yet...yet). Remember though - low profile doesn't mean low risk at all........and the more aware to dangers, the less likely it will spread, therefore NOT being a danger in turn

Thisis from the register:

Yet another NetSky virus arrived on the scene today. NetSky-V spreads using a well known Internet Explorer vulnerability, connected with the handling of XML pages. Instead of depending on users double clicking on infectious email attachments, the worm can spread automatically across vulnerable Windows boxes.

Users can be infected by NetSky-V simply by reading an infected email. Note - no need to click on attachment at all - just reading the email will infect you!

Just as well then that NetSky-V, although it has been observed in the wild, is far less common than previous versions. Most anti-virus firms rate NetSky-V as low-to-medium risk. A previous variant, NetSky-Q ,was also capable of auto-execution but it used a different exploit mechanism (an IE iFrame vulnerability, dating back three years) to the vulnerability exploited by Netsky-V.

Emails contaminated by NetSky-V come with subject lines such as 'Converting message. Please wait...' and exploit code which attempts to download a copy of the worm from an infected user's computer.

The worm's payload contains code designed to spread infectious emails to addresses harvested from victim machines, which become zombie drones.

From 22 to 29 April, NetSky-V is programmed to launch a denial of service attack on file-sharing and warez websites (www.cracks.am, www.emule.de, www.kazaa.com, www.freemule.net and www.keygen.us).

Four previous versions of NetSky have targeted a similar list of sites. NetSky-Q infected more machines than its DDoS worm siblings and was therefore responsible for the most severe attack to date.

Sites such as www.kazaa.com remained up and running during an attack by NetSky-Q between 8 April and 11 April. However www.cracks.am was seriously bogged down. Other sites targeted by Netsky-Q - www.edonkey2000.com and www.emule-project.net - removed themselves from DNS records during the duration of the attack.

Mikko Hyppönen, director of nti-Vivrus Research at Finnish AV firm F-Secure, said the attacks "were fairly successful since most of the sites, except Kazaa, went down."

Advice to defend against Netsky in all its varied guises follows a familiar pattern: update AV signature files, apply patches, use a personal firewall and wear a regulation tin-foil hat. ®

This is from mcafee

--Update 04/15/2004 08:00 PST
W32/Netsky.v@MM has been updated to low-profiled due to press at http://www.theregister.co.uk/2004/04/15/pesky_netsky/ .

The following EXTRA.DAT packages are available, prior to the full DAT release.
EXTRA.DAT
SUPER EXTRA.DAT

This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:

infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
harvests email addresses from the victim machine
spoofs the To: and From: address of messages
opens a port on the victim machine (TCP 5556 & 5557)
delivers a DoS attack on certain web sites upon a specific date condition

Mail Propagation

Email addresses are harvested from the victim machine. Files with the following extensions are searched:

.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.ods
.oft
.php
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wsh
.wab
.xls
.xml
Constructed messages bear the following characteristics:

To: [email protected] (this is spoofed)
From: [email protected] (this is also spoofed, it is not the true receiving address)
Subject: (taken from the following list)

Mail Delivery Sytem failure
Mail delivery failed
Server Status failure
Gateway Status failure
Body text: (taken from the following list)

The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message...
Rather than including an attachment, the HTML within the message contains exploit code to contact a remote website to download the infected file. This HTML script will be detected with 4352 DATs and higher as Exploit-ObjectData. The remote infected computer is contacted via HTTP on TCP port 5557, the remote HTML file is launched, which drops an FTP "script" that downloads the Netsky.v executable file from the remote machine via TCP port 5556, and proceeds to infect the local machine by executing the downloaded file.

Denial of Service

This worm targets the following remote servers in a denial of service attack:

www.keygen.us
www.freemule.net
www.kazaa.com
www.emule.de
www.cracks.am
System Changes

The worm installs itself on the victim machine as KasperskyAVEng.exe in the Windows directory:

%WinDir%\KasperskyAVEng.exe
The following Registry key is added to hook system startup:

HKEY_LOCAL_MACHINE\Software\MicrosoftWindows\CurrentVersion\Run "KasperskyAVEng" = %WinDir%\KasperskyAVEng.exe
A copy of the worm is saved to disk as SKYAV.TMP in the Windows directory:

%WinDir%\skyav.tmp
Remote Access Component

The worm opens a web server on TCP port 5557 which, on vulnerable systems, will load an HTM file which is heuristically detected by DATs up to 4352 as Unsafe Script. Specific detection will be added to the 4352 DATs as Exploit-ObjectData.

The virus also opens an FTP server on TCP Port 5556, so that the infected system can be accessed remotely.

Indications of Infection

Outgoing DNS query to one of the following DNS servers (IP list carried within the worm):
212.44.160.8
195.185.185.195
151.189.13.35
213.191.74.19
193.189.244.205
145.253.2.171
193.141.40.42
194.25.2.134
194.25.2.133
194.25.2.132
194.25.2.131
193.193.158.10
212.7.128.165
212.7.128.162
193.193.144.12
217.5.97.137
195.20.224.234
194.25.2.130
194.25.2.129
212.185.252.136
212.185.253.70
212.185.252.73
Existence of the files/Registry keys detailed above
TCP ports 5556 & 5557 open on the victim machine

Method of Infection

This worm spreads by email, constructing messages using its own SMTP engine.

Removal Instructions

All Users :
Use the Daily DAT files for detection and removal.

Alternatively, the following EXTRA.DAT packages are available.
EXTRA.DAT
SUPER EXTRA.DAT

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Edited by - Chips on 4/16/2004 4:47:14 PM

Fri Apr 16, 2004 3:54 pm by -------

Thank God I don't use Kazaa anymore. That thing's a breeding ground for computer viruses. Stay away from it. This is another common sense thing too. If you don't recognize an e-mail or find it suspicious, don't open it. Report the e-mail to your ISP provider if you use an ISP e-mail account, and delete the message. I don't use Outlook Express because that's been a very popular target for viruses. As Chips said, use an Anti-virus program, as most of them can block stuff like this. Again, as Chips said, you can download a free Anti-virus program like AVG or the one I use, AntiVir. For AntiVir you can go to www.free-av.com. It's a really good program. I run it once a week.

"Evil will always triumph because good is dumb!"

Fri Apr 16, 2004 4:12 pm by Jagged

How exactly do viruses get E-mailed? Does the virus creator have a program that tries diferent e-mail addresses?

We go for victory!

Fri Apr 16, 2004 5:06 pm by mustang

Once a machine is infected it uses the email addy's in the address book to send itself out to other users, they get infected and then it uses their address book and so on. Basically they self propogate.

Fri Apr 16, 2004 6:30 pm by Indy11

@Chips,

When you say that the virus will acitivate if you just "click" on it, do you mean that If I were to highlight the bugger to delete it, it already has activated?

I'm totally up-to-date on AV and Windows security updates but I've got friends who are notoriously uh..... inattentive to say the least?

Fri Apr 16, 2004 6:38 pm by H.Q. Victor

What e-mails are being hit? Outlook, express? Opera does pretty good at screen viruses before I can down load the mail, and my main one does not use any mail serves of windows. AV up to date here too.

Fri Apr 16, 2004 6:49 pm by Wolf_Demon

Wolfy - take note!

*mumbles while he trys to find a pencil and paper*

Fri Apr 16, 2004 6:50 pm by Stormtrooper112

hmm Netsky thats backwors for Skynet from the Terminator Series hmmm

A quote from Celso of That 70's Show:I gotta have that car,El Camino is spanish for The Camino

Fri Apr 16, 2004 7:39 pm by Wolf_Demon

yeah, som1 is obviously trying to create the worst virus with a name inspired from the terminator

Fri Apr 16, 2004 8:07 pm by Esquilax

I knew it! It's bloody Outlook again! I hate that program so much!

Allow me to quote;

Downstream victims can become infected simply by reading an email sent by the virus. Note, however, that this email relies on a bug in Microsoft Outlook for which a patch has already been published. If you have downloaded and applied up-to-date patches from Microsoft, then the exploit used by this email will not work and the email is harmless.

I knew that there was a reason I didn't like Outlook...

Fri Apr 16, 2004 9:08 pm by Wolf_Demon

hahahaha! my dad was gonna have me use that but i didnt wanna do all this crappy work to get it set up

Important Message

You are browsing the archived Lancers Reactor forums. You cannot register or login.
The content may be outdated and links may not be functional.

To get the latest in Freelancer news, mods, modding and downloads, go to
The-Starport