As you can see from the "Top 5 Threats" shown below, the Win32/Netsky.Q worm has the
highest rate of infection for October, 2004. That's its second month at number one. With so many viruses "in the wild" it is
almost impossible to know about all of them which is why a good virus scanner solution is vital to the wellbeing of your workstations
and servers.
This month we'll take a closer look at the leader of the pack the Win32/Netsky.Q worm.
So what exactly is the Win32/Netsky.Q worm? (For a definition of a computer worm, see the sidebar.) Starting with its name we
can tell a few things about it.
Win32 indicates that this particular worm targets 32 bit Windows versions, which includes almost
all of the Windows product family.
Netsky.Q tells us that we are dealing with a variation of the Netsky worm, but more specifically the 'Q' variant.
There are a number of other variants of the Netsky worm that work in a similar way to Netsky.Q, but with different payloads or infection capabilities.
Infection
When Win32/Netsky.Q runs, it copies itself to the system folder and names itself FVProtect.exe. After that it makes another file
called userconfig9x.dll which is then run. To make sure that it runs every time the system starts, it puts an entry (sneakily called "Norton
Antivirus AV" in the Registry (the system database) and points to the file FVProtect.exe that it made before.
Habitat
To make sure that this worm is the only version running, it deletes any entries in the registry that may have been put there
by an earlier version to shut them down so they don't conflict.
Preparation
The worm now needs to set itself up so that it can spread itself to other hosts. Netsky.Q likes to spread itself by email, but it
needs a few tools to allow this, so it copies the tools it needs to the system folder. These are all ".tmp" files.
Surveying
With that taken care of, it now looks for other ways to spread itself. There are many different methods, protocols and
applications that can be used to traverse the Internet such as the World Wide Web, ftp, chat programs and so on. An extremely
efficient way to move data over the internet is Peer-To-Peer (P2P) networks. Netsky.Q searches your drives for words such as
download, ftp, http, kazaa, morpheus, mule, my shared folder and upload.
Should it find any directories containing any of these words it then copies itself to these folders and renames itself with
appealing names such as American Idol.doc.exe, Arnold
Schwarzenegger.jpg.exe, Best Matrix Screensaver new.scr and many, many more…
This enables the worm to be spread to people who are likely to download files with these sorts of names.
|
What is a Worm? |
| A program that replicates itself over a computer network and usually performs malicious actions,
such as using up the computer's resources and possibly shutting the system down. |
|
Not content to just use the addresses it finds in your address book, the worm then scours your disks for files with file extensions that it
knows may contain email addresses such as .wab, .adb,
.eml, .htm, .msg and others.
Construction
Now that it has a list of recipients, it crafts emails using lists of words. It then sets the sender field to an address from those it found earlier,
or one it hopes the recipient will trust, such as abuse@gov.us,
noreply@paypal.com, or support@symantec.com.
It then sets the subject field to something which it hopes will either alert you or attract you, including Fwd: Warning again,
Error, important, Mail Delivery (failure),
I love you! and Re: Free porn.
It then rounds the email off with +++ Attachment: No Virus found followed by ++++
Norton AntiVirus - www.symantec.de or another anti-virus vendor in an attempt to make you feel extra sure that there is no virus attached.
It now only needs to add its payload to the email as an attachment using the tools mentioned earlier creating either an executable or a zip file, and
names itself one of 100 possible names such as approved, confirm, or a
document with the extensions; .doc, .txt,
.scr or .pif depending on its format.
This is where modern viruses such as Win32/Netsky.Q are beginning to excel. Traditionally a virus would take one approach to
replicate such as copying itself from file to file, or using an email application's address book to find addresses it could send
itself to. Netsky.Q however takes what is known as a "blended-threat" approach to maximize the possibility of it
spreading. In addition to using this "multi-pronged approach", it uses what's known as Social Engineering by targeting
weaknesses or human behavioral traits such as love, lust, fear or greed to increase the likelihood that you'll download the
infected file or read the infected email.
While Anti-Virus software can respond to threats after they occur, and some such as NOD32 can use advanced heuristics to detect previously
unseen viruses, the weakest link will always be the human element. So, as always, stop and think about what you might be about to open.
For more information:
http://www.quarkit.com.au/content/view/29/44/
source:
http://www.virus-radar.com/dynamic/
dquery.php?mcx=vdesc&instance=top&vname=netsky.q
&ifr_name=Netsky.Q&langname=enu
|
Top 5 Threats (last 31 days) |
source:
http://www.virus-radar.com |
|
