|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] Quick Analysis of Netsky-B
From: first last (randnut
hotmail.com)
Date: Thu Feb 19 2004 - 12:03:24 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>The Viruswriter seems to be from Germany
>
>The string skynetskynet.de
>AdmSkynetJklS003
>can be found inside the virus code
>the IP 217.5.100.1 is a dial up from the german Telekom: DTAG-DIAL13
>one of the attatchment names refers to a german explicit "movie star"
It's very easy to fake that kind of stuff, but most virus writers don't seem
to do that so yes he (yes, I assume it's a guy) is probably german or at
least knows some german.
>Nothing new as I can see,
When people realize that you can make lots of money with a successful virus,
you're going to see more advanced viruses written by professionals.
>packed with upx, UDP packet sender, SMTP Routine,
>tries to install itself as a service, tries to infect network shares and
>file sharing ... business as usual.
>the only not so harmless function is: Kernel32.DeleteFilaA
That function is used to delete a temporary file, namely the zip file it
emails to a random email address it finds on the hd.
_________________________________________________________________
Find and compare great deals on Broadband access at the MSN High-Speed
Marketplace. http://click.atdmt.com/AVE/go/onm00200360ave/direct/01/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]