Weekly Report on Viruses and Intrusions – Six Netsky Variants, Nachi, Baglem Sober and StarKeylog

Today’s report will look at six variants of Netsky, two of Nachi and Bagle, the D variant of Sober, the Cidra.B Trojan and the hacking tool, StarKeylog.A.

The H, I, J, K, L and M variants of Netsky all spread via e-mail in a message with variable characteristics. In addition, Netsky.H, Netsky.I, Netsky.J and Netsky.K all share the following characteristics:

– They delete entries belonging to several worms, such as Mydoom.A, Mydoom.B, Mimail.T and several variants of Bagle.

– They emit random noises through the computer’s internal speaker on certain dates (Netsky.H, for example, is programmed to make these noises on March 8 2004, Netsky.I on 5 March, etc.).

Factors that differentiate the H, I and J variants of Netsky include:

– The size of the file that contains the malicious code.

– The mutex name generated to ensure that they are not executed several times simultaneously.

– The texts included in their code, criticizing the authors of Mydoom and Bagle.

– The number of simultaneous execution threads they create to send themselves out by e-mail (32 in the case of the H a variant, 8 in the I variant, 16 in J).

The K, L and M variants also have the following features, which distinguish them from those mentioned above.

– On March 16 2004, Netsky.K opens port 26 and waits for a connection. It then deletes the entry it has created in the Windows Registry and displays a message on screen. It sometimes sends out a compressed ZIP file which is password protected. This variant also includes a long text in its code claiming that March 11 will be “the Skynet day”.

– March 11, 12 and 13, Netsky.L and Netsky.M increase the amount of messages sent.

The next worms we’ll look at today are Nachi.F and Nachi.G. These malicious code affect systems with Windows 2003/XP/2000/NT and, in order to spread to as many computers as possible. They exploit certain vulnerabilities (Buffer Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun), and are capable of uninstalling Mydoom.A, Mydoom.B, Doomjuice.A and Doomjuice.B, by terminating their processes and deleting associated files.

The F and G variants of Nachi delete themselves when the system date is on or after July 1 2004. Both of them cause an increase in network traffic through TCP ports 80, 135 and 445, as they attempt to exploit the vulnerabilities mentioned above, at the same time as trying to spread through port 3127, which is opened by the Trojan installed by the Mydoom.A and Mydoom.B worms.

The ninth worm that we will look at today is Bagle.L, which also spreads in an e-mail message with variable characteristics, as well as (P2P) file-sharing programs. It contains a Trojan which opens TCP port 2745 and tries to connect to several web pages which host a PHP script. By doing this, it notifies its creator that he can access the infected computer through this port. Bagle.L also terminates processes belonging to certain applications for updating various antivirus programs, and ceases to function when the system date is on or after March 25 2005.

Bagle.M, is a worm that also tries to connect to several web pages which host a PHP script, and downloads a list of IP addresses of several PHP pages. Like the malicious code in the previous paragraph, it also terminates processes related to the updating of antivirus programs.

The last worm we’ll look at is Sober.D, which spreads via e-mail in a message in either English or German depending on the domain extension of the victim’s e-mail address. It searches for e-mail addresses in files with certain extensions, and sends itself out using its own SMTP engine. Once executed, Sober.D is easily recognized by the messages it displays on screen.

Cidra.B is a mass-mailed Trojan sent in a message with an attached file called P_USB.ZIP. This malicious code opens and listens on port TCP 5004. It also allows a file to be downloaded and run on the affected computer, and also acts a proxy SOCKS4 server, directing TCP traffic via the affected computer.

We’ll finish off this report with StarKeylog.A, a hacking tool which logs keystrokes, the username, passwords, web pages visited and the name of active Windows applications on the computer. The information it obtains is stored in an encrypted file which it sends out or saves on a specific network directory.