Virus Info Required

[Abdul Moeed]

Assalam-o-likum,

kiya ahl han app sab kay . Umeed hay kay sab theek thak . or hansii khussi hon gay .

to janab ajj ka humara masla yah hay kay . Mujhay ak virus kay baray may info cahyah agar kissi to pata hay kay yah virus kiya karta hay to zaror batayah ga .. han g .. virus ka name bata doun .. dantay kune ho .. . yah hay virus ka name

"W32.Netsky.Z@mm" (yah ziyadah tar emails may bhi paya giyah hay . lakin mujhay samjh nahi aa rahi kay yah kiya karta hay . kune kay yahoo download nahi karnay dayta rok layta hay)

ok ab calta hon . jawab ka intazar
Allah Hafiz

[Mozilla]

Brother Ya Lo

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:http://searchsecurity.techtarget.com...961097,00.html

This detection is for a new variant of W32/Netsky. It bears the following characteristics:
harvests email addresses from the victim machine
contains its own SMTP engine to construct outgoing messages
attaches itself within a ZIP archive to emails
spoofs the From: address
delivers a denial of service payload to certain web sites upon a date condition

Mail Propagation

The virus harvests email addresses from files on the victim machine with the following extensions:
.adb
.asp
.cfg
.cgi
.dbx
.dhtm
.doc
.eml
.htm
.html
.jsp
.mbx
.mdx
.mht
.mmf
.msg
.nch
.oft
.php
.ods
.pl
.ppt
.rtf
.sht
.shtm
.stm
.tbb
.txt
.uin
.vbs
.wab
.wsh
.xls
.xml

Messages are constructed using the virus' own SMTP engine. They bear the following characteristics:

From: spoofed (using harvested email addresses)Subject: selected from one of the following:
Document
Hello
Hi
Important
Important bill!
Important data!
Important details!
Important document!
Important informations!
Important notice!
Important textfile!
Important!
Information
Attachment: ZIP archive with one of the following filenames:

Bill.zip
Data.zip
Details.zip
Important.zip
Informations.zip
Notice.zip
Part-2.zip
Textfile.zip

The ZIP archive contains the worm. It is not password protected. The filename of the worm within the ZIP is chosen to match the subject and ZIP name:
Bill.txt (many spaces) .exe
Data.txt (many spaces) .exe
Details.txt (many spaces) .exe
Important.txt (many spaces) .exe
Informations.txt (many spaces) .exe
Notice.txt (many spaces) .exe
Part-2.txt (many spaces) .exe
Textfile.txt (many spaces) .exe

Denial of Service Payload

Upon a certain date condition, the virus targets the following domains in a denial of service attack (HTTP):
www.nibis.de
www.medinfo.ufl.edu
www.educa.ch

System Changes

The virus installs itself on the victim machine as JAMMER2ND.EXE:
%WinDir%\JAMMER2ND.EXE

The following Registry key is added to hook system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run "Jammer2nd" = %WinDir%\JAMMER2ND.EXE

Copies of the worm in a ZIP archive (some Base64 encoded) are written to the victim machine:
PK_ZIPn.LOG

(where n is an integer).

[Mozilla]

This worm spreads by email, constructing messages using its own SMTP engine.

[Mozilla]

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

[Abdul Moeed]

hum thanks bahi . Very informatic ..