Netsky.C
--------------------

Netsky.C est un virus qui se propage par email et via les dossiers partagés. Il se présente sous la forme d'un message dont le titre et le corps sont aléatoires, avec un fichier joint (25 Ko) dont l'extension est .COM, .EXE, .PIF, .SCR ou .ZIP. Si ce dernier est exécuté, le virus s'envoie aux adresses  présentes dans le carnet d'adresses Windows ainsi que divers autres fichiers du disque dur, puis tente le cas échéant de se propager via KaZaA et les dossiers mis en partage en s'y copiant sous divers noms aguicheurs.

PREVENTION :
Les utilisateurs concernés doivent mettre à jour leur antivirus. D'une manière générale, même si son nom est attrayant il ne faut pas exécuter un fichier joint sans l'avoir au préalable analysé avec un antivirus à jour.

DESINFECTION :
Avant de commencer la désinfection, il est impératif de s'assurer avoir appliqué les mesures préventives ci-dessus afin d'empêcher toute réinfection de l'ordinateur par le virus. Les utilisateurs ne disposant pas d'un antivirus peuvent utiliser gratuitement l'utilitaire de désinfection FxNetsky pour rechercher et éliminer le virus.

TYPE :
Ver

SYSTEME(S) CONCERNE(S) :
Windows 95
Windows 98
Windows Me
Windows NT
Windows 2000
Windows XP
Windows 2003

ALIAS :
Moodown.C (F-Secure)
I-Worm.Moodown.c (Kaspersky)
W32/Netsky.c@MM (McAfee)
W32.Netsky.C@mm (Symantec)
WORM_NETSKY.C (Trend Micro)
Worm.Somefool

TAILLE :
25.352 octets

DECOUVERTE :
25/02/2004

DESCRIPTION DETAILLEE :
Le virus Netsky.C est une variante du virus Netsky.B. Il se présente sous la forme d'un message dont le titre, le corps et le nom du fichier joint sont aléatoires Les titres de message :

    * Delivery Failed
    * Status
    * report
    * question
    * trust me
    * hey
    * Re: excuse me
    * read it immediatelly
    * hi
    * Re: does it?
    * Yep
    * important
    * hello
    * dear
    * Re: unknown
    * fake?
    * warning
    * moin
    * what's up?
    * info
    * Re: information
    * Here is it
    * stolen
    * private?
    * good morning
    * illegal...
    * error
    * take it
    * re:
    * Re: Re: Re: Re:
    * you?
    * something for you
    * exception
    * Re: hey
    * excuse me
    * Re: hi
    * Re: does it?
    * Re: important
    * Re: hello
    * believe me
    * Question
    * denied!
    * notification
    * Re: <5664ddff?$??º2>
    * lol
    * last chance!
    * I'm back!
    * its me
    * notice!

Le corps du message peut être un des objets ci-dessus ou une des expressions suivantes :

    * <Deliver Error>
    * <Message Error>
    * <Server Error>
    * what means that?
    * help attached
    * <...>
    * ok...
    * <Attachment from Poland>
    * that is interesting...
    * i wait for your comment about it.
    * such as yours?
    * read the details.
    * gonna?
    * here is the document.
    * *lol*
    * read it immediately!
    * i found that about you!
    * your hero in the picture?
    * yours?
    * here is it.
    * illegal st. of you?
    * is that true?
    * account?
    * is that your name?
    * picture?
    * message?
    * is that your account?
    * pwd?
    * I wait for an answer!
    * abuse?
    * is that yours?
    * you are a bad writer
    * I don't know your document!
    * <Mail failed>
    * I have your password!
    * you won the rk!
    * something about you!
    * classroom test of you?
    * kill the writer of this document!
    * old photos about you?
    * i hope thats not true!
    * your name is wrong!
    * does it match?
    * i found this document about you.
    * time to fear?
    * really?
    * do you know this????
    * i know your document!
    * did you sent it to me?
    * this file is bad!
    * why should I?
    * pages?
    * her.
    * another pic, have fun! ... :->
    * test it
    * child porn?
    * greetings
    * xxx ?
    * stuff about you?
    * your document is not good
    * something is going wrong!
    * your photo is poor
    * information about you?
    * the information is wrong!
    * doc about me?
    * kill him on the picture!
    * from the chatter (my photo!)
    * from your lover
    * love letter?
    * here, the serials
    * are you a teacherin the picture?
    * here, the introduction
    * is that criminal?
    * here, the cheats
    * i like your doc!
    * what do you think about it?
    * that's a funny text.
    * that's not the truth?
    * do you have?
    * instruct me about this!
    * i lost that
    * i am speachless about your document!
    * is that the reality?
    * reply
    * msg
    * your design is not good!
    * important?
    * your TAN number?
    * take it easy!
    * why?
    * you are naked in this document!
    * thats wrong!
    * your icq number?
    * i am desperate
    * modifications?
    * your personal record?
    * yes.
    * misc. and so on. see you!
    * your attachment? verify it.
    * you earn money, see the attachment!
    * is that your attachment?
    * is that your website?
    * you feel the same.
    * meaning of that?
    * possible?
    * you have tried to steal!
    * did you ask me for that?
    * you are bad
    * your job? (I found that!)
    * is that possible?
    * something is going ...
    * something is not ok
    * did you know from this document?
    * wrong calculation! (see the attachment!...
    * never!
    * poor quality!
    * good work!
    * excellent!
    * great!
    * i don't think so.
    * pretty pic about you?
    * docs?
    * schoolfriend?
    * <Warning from the Government>
    * <09580985869gj>
    * <?}
    * i want more...
    * here is the next one!
    * attachi#
    * did you see her already?
    * is that your wife?
    * is that your creditcard?
    * is that your photo?
    * do you think so?
    * do you have the bug also?
    * already?
    * forgotten?
    * drugs? ...
    * does it matter?
    * i have received this.
    * best?
    * the truth?
    * your body?
    * your eyes?
    * your face?
    * File is self-decryting.
    * File is damaged.
    * File is bad.
    * i saw you last week!
    * xxx service
    * your account is expired!
    * you cannot hide yourself! (see photo)
    * copyright?
    * what still?
    * who?
    * how?
    * <bad gateway>
    * only encrypted!
    * personal message!
    * my advice....
    * i've found it about you
    * <<<Failure>>>
    * <Attached Msg>
    * <scanned by norton antivirus>
    * great xxx!
    * man or women?
    * child or adult?
    * here is yours!
    * a crazy doc about you
    * xxx about you?
    * i don't want your xxx pics!
    * <Failed message available>
    * <Automailer>
    * doc?
    * trial?
    * what?
    *
    * i need you!
    * correct it!
    * see this!
    * it's a secret!
    * this is nothing for kids!
    * it's so similar as yours!
    * is that your car?
    * do not give up!
    * great job!
    * here is the $%%454$
    * you are sexy in this doc!
    * incest?
    * let it!
    * you look like an ape!
    * you look like an rat?
    * be mad?
    * are you cranky?
    * bob the builder
    * did you know that?
    * money?
    * is that your car?
    * is this information about you?
    * is that your privacy?
    * is that your TAN?
    * is that your message?
    * is that your cd?
    * is that your finger?
    * your are naked?
    * is that your porn pic?
    * is that your work?
    * is that your family?
    * is that your beast?
    * is that your account?
    * is that your slip?
    * is that your domain?
    * are you the naked one?
    * are you the naked person!
    * are you the one?
    * does it belong to you?
    * do you have sex in the picture?
    * you have a sexy body in the pic!
    * your lie is going around the world!
    * <Transfer complete>
    * <Antispam complete>
    * lets talk about it!
    * do you know the thief?
    * are you a photographer?
    * you have done a mistake in the document...
    * its private from me
    * do not show this anyone!
    * new patch is available!
    * this is an attachment message!
    * in your mind?
    * Microsoft
    * fast food...
    * Your bill.
    * try this patch!
    * do you have an orgasm in the picture?
    * <Click the attachment to decrypt>
    * <Attachment Signature 34933920>
    * Transaction failed. Show the doc!
    * I 've found your bill!
    * see your name!
    * You are infected. Read the details!
    * here is my advice.
    * here is my photo!
    * here is the <censored>
    * feel free to use it.
    * does it belong to you?
    * Login required! Read the attachment!
    * your document is silly!
    * is the pic a fake?
    * Antispam is turned off. See file!
    * Authentification required. Read the att...
    * solve the problem!
    * <null>
    * do not use my document!
    * do not open the attachment!
    * do not visit the pages on the list I se...
    * explain!
    * tell me more about your document!
    * Your provider will be disabled!
    * Instant patches.

La pièce jointe possède un nom aléatoire et une extension en .COM, .SCR, .EXE, .PIF ou .ZIP. Quelques exemples :

    * moonlight.zip
    * object.zip
    * important.zip
    * mail2_sexy.doc.scr
    * object.htm.scr
    * yours.pif
    * death.zip
    * important.txt.scr
    * death.com
    * mail2.zip
    * party.com
    * story.com
    * release.rtf.exe
    * me.zip
    * release.zip
    * nomoney.exe
    * part2.zip
    * document.zip
    * final.exe
    * location.zip
    * creditcard.rtf.scr
    * mail2.doc.com
    * product.htm.exe
    * incest.zip
    * message.zip

Si le fichier joint est exécuté, le virus se copie dans le répertoire Windows sous le nom WINLOGON.EXE, modifie la base de registres afin d'être exécuté à chaque démarrage de l'ordinateur, puis s'envoie automatiquement aux contacts dont les adresses figurent dans le carnet d'adresses Windows ainsi que les fichiers .ADB, .ASP, .DBX, .DOC, .EML, .HTM, .HTML, .MSG, .OFT, .PHP, .PL, .RFT, .SHT, .TBB, .TXT, .UIN, et .VBS et du disque dur, en utilisant comme adresse d'expéditeur une adresse usurpée ou falsifée.

Netsky.B tente également de désactiver les virus Mydoom.A, Mydoom.B et Mimail.T, ainsi que de se propager via les dossiers dont le nom comporte le mot "sharing" ou "share" (comme souvent KaZaa, Bearshare, etc.) en explorant les disques de C à Z et en s'y copiant sous divers noms aguicheurs :

    * Microsoft WinXP Crack.exe
    * Teen Porn 16.jpg.pif
    * Adobe Premiere 9.exe
    * Adobe Photoshop 9 full.exe
    * Best Matrix Screensaver.scr
    * Porno Screensaver.scr
    * Dark Angels.pif
    * XXX hardcore pic.jpg.exe
    * Microsoft Office 2003 Crack.exe
    * Serials.txt.exe
    * Screensaver.scr
    * Full album.mp3.pif
    * Ahead Nero 7.exe
    * Virii Sourcecode.scr
    * E-Book Archive.rtf.exe
    * Doom 3 Beta.exe
    * How to hack.doc.exe
    * Learn Programming.doc.exe
    * WinXP eBook.doc.exe
    * Win Longhorn Beta.exe
    * Dictionary English - France.doc.exe
    * RFC Basics Full Edition.doc.exe
    * 1000 Sex and more.rtf.exe
    * 3D Studio Max 3dsmax.exe
    * Keygen 4 all appz.exe
    * Windows Sourcecode.doc.exe
    * Norton Antivirus 2004.exe
    * Gimp 1.5 Full with Key.exe
    * Partitionsmagic 9.0.exe
    * Star Office 8.exe
    * Magix Video Deluxe 4.exe
    * Clone DVD 5.exe
    * MS Service Pack 5.exe
    * ACDSee 9.exe
    * Visual Studio Net Crack.exe
    * Cracks & Warez Archive.exe
    * WinAmp 12 full.exe
    * DivX 7.0 final.exe
    * Opera.exe
    * IE58.1 full setup.exe
    * Smashing the stack.rtf.exe
    * Ulead Keygen.exe
    * Lightwave SE Update.exe
    * The Sims 3 crack.exe

Pour signaler sa présence, Netsky.C a enfin la capacité de faire retentir le beeper de l'ordinateur infecté entre 6 h et 9h du matin le 26/02/04.

et non, justement, boudha...

c'est par la liste de contacts que le virus se propage...autrement dit, plus tu auras de personnes dans ta liste, plus grace a toi ces personnes auront une "chance" d'etre infecté...

perso, moi je me suis fai une bdd externe a mon prog de mail, et voila... (mais ca ne m'empeche pas d'en recevoir...)

(et au fait, les "hackers ne sont pas tous mauvais...lol donc surveille ton langage...)

aller

++