This NETSKY variant spreads via email as a .PIF attachment and gathers email addresses from the files with Different extensions on all the drives.The email message it sends out has varying subjects, message bodies and attachment file names. This worm also deletes several autorun registry entries associated with the following malware in an attempt to prevent their automatic execution.
When executed, this malware creates the mutex LK[SkyNet.cz]SystemsMutex to check for its presence in memory.Then, it drops a copy of itself as WINLOGON.EXE in the Windows folder.
Re: Re: Document, Re: Thanks! , Re: Here is the document, Re: Your picture, Re: Re: Message, Re: Hello
Re: Re: Re: Your document, Re: Here, Re: Your music, Re: Excel file, Re: Word file, Re: Your bill, Re: Your text ,Re: Your archive, Re: Your letter, Re: Your product, Re: Your website
Re: Re: Re: Your document, Re: Here, Re: Your music, Re: Excel file, Re: Word file, Re: Your bill, Re: Your text ,Re: Your archive, Re: Your letter, Re: Your product, Re: Your website
The body of the email will be any of the following:
- Here is the file. See the attached file for details
- Please have a look at the attached file...
- Please read the attached file.
- Your file is attached.
And there will be attachment with the same subject line with a .PIF extension eg your document.PIF, yours.pif, mp3music.pif, application.pif, all_document.pif etc.
It takes the email recipients from the files on the hard disk with the following extensions:
It deletes the following registry entries that are generated by other malware in Run folder that has many names HKEY_LOCAL_MACHINE\Software\MicrosoftWindows\CurrentVersion\Run
system, Delete Me, Sentry, Windows Services Host, sysmon.exe, srate.exe.
system, Delete Me, Sentry, Windows Services Host, sysmon.exe, srate.exe.
This worm connects to local DNS servers, and then queries for its mail exchanger that matches the domain name of the target recipients email address. Once found, it uses the said domain as an SMTP server.
- 62.155.255.16
- 212.185.252.73
- 212.185.253.70
- 212.185.252.136
- 194.25.2.129
- 194.25.2.130
- 195.20.224.234
- 217.5.97.137
- 194.25.2.129
- 193.193.144.12
- 212.7.128.162
- 212.7.128.165
- 193.193.158.10
- 194.25.2.131
- 194.25.2.132
- 194.25.2.133
- 194.25.2.134
- 193.141.40.42
- 145.253.2.171
- 193.189.244.205
- 213.191.74.19
- 151.189.13.35
- 195.185.185.195
- 195.185.185.195
- 212.44.160.8
The best way to prevent this threat is to avoid opening emails that are from unknown sender.
0 comments:
Post a Comment