Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Source Email Worm.win32.Skybag.A

Source Email Worm.win32.Skybag.A

Ratings: (0)|Views: 164|Likes:
Published by etiennekraemer

More info:

Published by: etiennekraemer on May 25, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





(Kaspersky Lab) is also known as: I-Worm.Skybag.a (Kaspersky Lab), W32/Netsky.ah@MM (McAfee), W32.Netsky.AE@mm (Symantec), Win32.HLLP.Skybag (Doctor Web), W32/Yaha-G (Sophos), Worm:Win32/SKybag.A@mm (RAV), WORM_YAHA.H (Trend Micro), Worm/Skybag.A (H+BEDV), W32/Netsky.AJ@mm (FRISK ), Win32:Skybag ( ALWIL), I- Worm/Netsky.AF (Grisoft), Win32.Skybag.A@mm (SOFTWIN), Worm.Skybag.A (ClamAV), W32/Skybag.A.worm (Panda), Win32/Skybag.A (Eset)
Description added
Nov 12 2004
Technical details
This worm spreads via the Internet as an attachment to infected messages, and via local and file sharingnetworks. The worm sends itself to email addresses harvested from the infected machine.The worm itself is a Windows PE EXE file approximately 205 KB in size.
When installing, the worm copies itself to the Windows system directory as:
It also creates the following files in the Windows system directory:
The worm creates a file called 'bloodred.zip' in the Windows root directory.Skybag then registers itself in the system registry:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]"Microsoft Kernel"="%System%\Windows_kernel32.exe"
This ensures that the worm will be launched each time the system is rebooted.Skybag then displays the following dialogue box:'Windows encountered an error reading the file'
Propagation via email
The worm sends itself to all email addresses harvested from the victim computer. The worm looks for emailaddresses in Outlook Address Book and in files with the following extensions:
The worm uses the recipient's SMTP server to send messages to all harvested addresses.Messages are not sent to addresses which contain the following text strings:
Infected messages:
Sender's address (chosen at random from the list below):
Subject (chosen at random from the list below):
Detailed InformationEmail Account InformationServer ErrorURGENT PLEASE READ!Urgent Update!User InfoUser Information
Message body (chosen at random from the list below):
Our server is experiencing some latency in our email service.The attachment contains details on how your account will be affected.Due to recent internet attacks, your Email account security is being upgraded. The attachmentcontains more detailsOur Email system has received reports of your account flooding email servers. There is moreinformation on this matter in the attachmentWe regret to inform you that your account has been hijacked and used for illegal purposes. Theattachment has more information about what has happened. Your Email account information has been removed from the system due to inactivity. To renewyour account information refer to the attachmentThere is urgent information in the attachment regarding your Email account
 Attachment name (chosen at random from the list below):
with one of the following extensions:
Propagation via local and file-sharing networks
The worm searches the computer for folders where the name contains the word 'Share' and copies itself several times to each folder found, under the following names:
ACDSEE10.exeAdobe Photoshop Full Version.exeBattlefield 1942.exeBrianna banks and jenna jameson.mpeg ..exeBritney spears naked.jpeg .exeCisco source code.zip ..exeDVD Xcopy xpress.exejenna jameson screensaver.scrKazaa Lite.zip ..exeNETSKY SOURCE CODE.zip ..exeNorton AntiVirus 2004.exeOpera Registered version.exeSnood new version.exeTeen Porn.mpeg ..exeVisual Studio.NET.zip .exeWinAmp 6.exeWindows crack.zip ..exeWindows Longhorn Beta.exeWINDOWS SOURCE CODE.zip ..exeWinRAR.exe
Skybag.a closes the Windows Task Manager application, if it is open.The worm overwrites the %System%\DRIVERS\ETC\HOSTS file with the following text: www.norton.com127.0.0.1 norton.com127.0.0.1 yahoo.com127.0.0.1 www.yahoo.com127.0.0.1 microsoft.com127.0.0.1 www.microsoft.com127.0.0.1 windowsupdate.com127.0.0.1 www.windowsupdate.com127.0.0.1 www.mcafee.com127.0.0.1 mcafee.com127.0.0.1 www.nai.com127.0.0.1 nai.com127.0.0.1 www.ca.com127.0.0.1 ca.com127.0.0.1 liveupdate.symantec.com127.0.0.1 www.sophos.com127.0.0.1 www.google.com127.0.0.1 google.com
If the infected computer's system date is November 15, 2004 or later, the worm attempts to conduct DoSattacks against www.kazaa.com Also the worm attempts to block the work of a number of firewalls and antivirus monitors.

Activity (4)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
omaraje liked this
maxinzard liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->