Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Virus Thread Netsky.D and Quick analysis
From: "Helmut Hauser" <helmut_hauser () hotmail com>
Date: Mon, 1 Mar 2004 15:10:41 +0100

Netsky.D is rapildely spreading ...

Quick analysis:
Packed with the Petite exe Packer V2.2
Tries to infect the follwing drives and/or network shares:
z:  y:  x:  w:  v:  u:  t:  s:  r:  q:  p:  o:  n:  m:  l:  k:  j:  i:  h:
g:  f:  e:  d:  c:
Has follwing IP addresses built in:
 212.44.160.8    195.185.185.195 151.189.13.35   213.191.74.19
193.189.244.205 145.253.2.171   193.141.40.42   194.25.2.134    194.25.2.133
194.25.2.132    194.25.2.131    193.193.158.10  212.7.128.165
212.7.128.162   193.193.144.12  217.5.97.137    195.20.224.234  194.25.2.130
194.25.2.129    212.185.252.136 212.185.253.70  212.185.252.73
62.155.255.16

Interesting string: be aware! Skynet.cz - -->AntiHacker Crew<-- 

Installs itself at
CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
SOFTWARE\Microsoft\Windows\CurrentVersion\Run    -stealth   winlogon.exe
System\CurrentControlSet\Services\WksPatch
Software\Microsoft\Windows\CurrentVersion\Explorer\PINF Sentry  OLE service
au.exe  d3dupdate.exe

Was signed by skoorpio () yahoo com

Helmut Hauser
Systemadministration EDV
Intraplan Consult GmbH
Orleansplatz 5a
81667 M√ľnchen
(089) 45911-123
http://www.intraplan.de

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]