Despite the arrest of the Netsky's worm author, new worm variants
keep coming. On May 21st 2004 we received a sample of a new
Netsky worm variant. Even more interesting is the fact that the
new Netsky drops a Bugbear's worm keylogger to an infected
system. This Netsky variant is based on Netsky.D worm variant,
that was found on March 1st, 2004.
Descriptions of NetSky.D worm variant can be found here:
http://www.f-secure.com/v-descs/netsky_d.shtml
Descriptions of Bugbear worm keylogger can be found here:
http://www.f-secure.com/v-descs/tanatos.shtml
The worm's file is a PE executable file 40448 bytes long packed
with a modified UPX file compressor. The Bugbear's keylogger is a
PE DLL file 5632 bytes long. The keylogger is dropped to Windows
System folder with a random name and it creates 2 more DLL
files with random names there. These files are used to store
keylogger data in encrypted form.
Detection for NetSky.AD worm is available in the following FSAV
updates:
[FSAV_Database_Version]
Version=2004-05-21_05
Technical Details:
Alexey Podrezov, May 21st, 2004;
F-Secure Corporation
