- Weekly report on viruses and intrusions -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)
Madrid, March 12 2004 - Today's report will look at six variants of Netsky,
two of Nachi and Bagle, the D variant of Sober, the Cidra.B Trojan and the
hacking tool, StarKeylog.A.
The H, I, J, K, L and M variants of Netsky all spread via e-mail in a
message with variable characteristics. In addition, Netsky.H, Netsky.I,
Netsky.J and Netsky.K all share the following characteristics:
- They delete entries belonging to several worms, such as Mydoom.A,
Mydoom.B, Mimail.T and several variants of Bagle.
- They emit random noises through the computer's internal speaker on certain
dates (Netsky.H, for example, is programmed to make these noises on March 8
2004, Netsky.I on 5 March, etc.).
Factors that differentiate the H, I and J variants of Netsky include:
- The size of the file that contains the malicious code.
- The mutex name generated to ensure that they are not executed several
- The texts included in their code, criticizing the authors of Mydoom and
- The number of simultaneous execution threads they create to send
themselves out by e-mail (32 in the case of the H a variant, 8 in the I
variant, 16 in J).
The K, L and M variants also have the following features, which distinguish
them from those mentioned above.
- On March 16 2004, Netsky.K opens port 26 and waits for a connection. It
then deletes the entry it has created in the Windows Registry and displays a
message on screen. It sometimes sends out a compressed ZIP file which is
password protected. This variant also includes a long text in its code
claiming that March 11 will be "the Skynet day".
- March 11, 12 and 13, Netsky.L and Netsky.M increase the amount of messages
The next worms we'll look at today are Nachi.F and Nachi.G. These malicious
code affect systems with Windows 2003/XP/2000/NT and, in order to spread to
as many computers as possible. They exploit certain vulnerabilities (Buffer
Overrun in RPC Interface, WebDAV and Workstation Service Buffer Overrun),
and are capable of uninstalling Mydoom.A, Mydoom.B, Doomjuice.A and
Doomjuice.B, by terminating their processes and deleting associated files.
The F and G variants of Nachi delete themselves when the system date is on
or after July 1 2004. Both of them cause an increase in network traffic
through TCP ports 80, 135 and 445, as they attempt to exploit the
vulnerabilities mentioned above, at the same time as trying to spread
through port 3127, which is opened by the Trojan installed by the Mydoom.A
and Mydoom.B worms.
The ninth worm that we will look at today is Bagle.L, which also spreads in
an e-mail message with variable characteristics, as well as (P2P)
file-sharing programs. It contains a Trojan which opens TCP port 2745 and
tries to connect to several web pages which host a PHP script. By doing
this, it notifies its creator that he can access the infected computer
through this port. Bagle.L also terminates processes belonging to certain
applications for updating various antivirus programs, and ceases to function
when the system date is on or after March 25 2005.
Bagle.M, is a worm that also tries to connect to several web pages which
host a PHP script, and downloads a list of IP addresses of several PHP
pages. Like the malicious code in the previous paragraph, it also terminates
processes related to the updating of antivirus programs.
The last worm we'll look at is Sober.D, which spreads via e-mail in a
message in either English or German depending on the domain extension of the
victim's e-mail address. It searches for e-mail addresses in files with
certain extensions, and sends itself out using its own SMTP engine. Once
executed, Sober.D is easily recognized by the messages it displays on
Cidra.B is a mass-mailed Trojan sent in a message with an attached file
called P_USB.ZIP. This malicious code opens and listens on port TCP 5004. It
also allows a file to be downloaded and run on the affected computer, and
also acts a proxy SOCKS4 server, directing TCP traffic via the affected
We'll finish off this report with StarKeylog.A, a hacking tool which logs
keystrokes, the username, passwords, web pages visited and the name of
active Windows applications on the computer. The information it obtains is
stored in an encrypted file which it sends out or saves on a specific
For further information about these and other Internet threats, visit Panda
Software's Virus Encyclopedia at: