Weekly Report on Viruses and Intrusions – Netsky Variants (V, U) and Hideout.A Hacking Tool

Netsky.V spreads via e-mail in a message with variable characteristics that does not include an attached file. Instead, it contains HTML code with an ObjectData exploit. When this code is run, the worm is downloaded.

Nesky.V carries out various actions in the computers it infects, including the following:

– It creates a backdoor that listens in on TCP ports 5556 and 5557.

– From April 22 to 28, 2004 -inclusive- it launches Denial of Service (DoS) attacks against different websites.

– It looks for e-mail addresses in the files it finds with the following extensions: ADB, ASP, CFG, CGI, DBX, DHTM, DOC, EML, HTM, HTML, JSP, MBX, MDX, MHT, MMF, MSG, NCH, ODS, OFT, PHP, PL, PPT, RTF, SHT, SHTM, STM, TBB, TXT, UIN, VBS, WAB, WSH, XLS and XML. Then it sends itself out to the addresses it has obtained using its own SMTP engine.

– It creates the mutex _-=oOOSOkOyONOeOtOo=-_ in order to avoid being run several times simultaneously.

The U variant of Netsky spreads via e-mail in a message with variable characteristics, which always includes an attached file with a PIF extension. It creates a backdoor that listens in on TCP port 6789 and like the variant described above, it sends itself out to the addresses it obtains from the affected computer using its own SMTP engine. Netsky.U creates a mutex to avoid being run several times simultaneously and from April 14 to 23, 2004 -inclusive- it tries to launch Denial of Service (DoS) attacks against different websites.

We are going to finish today’s report with Hideout.A, a program that is run from the command line. This program allows several actions to be carried out on the services in a remote computer, such as making a list of the services running, displaying information about them or stopping them.