Analysis: NetSky.S is a new NetSky worm variant that was discovered the afternoon of April 4, 2004. NetSky.S is compressed with both PE-Patch and UPX. NetSky.S is 18,432 bytes and spreads via e-mail.
NetSky.S has the following MD5 value:
NetSky.S attempts to create a copy of itself in the Windows directory as eastav.exe. The Windows registry is modified to run the worm upon Windows startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run EasyAV=C:\WINDOWS DIRECTORY\easyav.exe
NetSky.S also attempts to save the file uinmzertinmds.opm in the Windows directory. NetSky.S executes two of its processes running in memory to help insure that it continues to run if one process is terminated. Further steps are taken by NetSky.S to prevent its file and startup registry key modifications from being deleted.
E-mails sent by NetSky.S have a spoofed From address and an attachment with a .pif extension that is 18,432 bytes in size.
NetSky.S attempts to launch a denial of service (DoS) attack against the following websites if the current date is between April 13-24, 2004:
When executed, NetSky.S also attempts to open port 6789 on the target computer.
Detection: Look for e-mails, the file easyav.exe in the Windows directory and the registry keys modified by the worm.
Recovery: Remove all files associated with this malicious code threat. Restore corrupted or damaged files with clean backup copies.
Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.
Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically. More details and a patch for Internet Explorer vulnerability can be found at MS01-020:.
iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com