Weekly Report On Viruses And Intruders: Netsky.AG, Darby.gen, JPGTrojan.D, Funner.A and Nemsi.A
Netsky.AG -which has been created by modifying the executable file of Netsky.B- sends itself out via email to all the addresses it finds in files with certain extensions, using its own SMTP engine. In order to deceive users, Netsky.AG spoofs the address of the sender of the message using one of the addresses it obtains from the files on the affected computer. This worm can also spread through P2P (peer-to-peer) file sharing programs.
When it is run, Netsky.AG shows an error message on screen and tries to copy itself to all the drives on the computer, except to the CD-ROM drives. This variant of Netsky also deletes the Registry entries created by other worms, including Mydoom.A and Mimail.T.
Darby.gen is a generic detection for future variants of the Darby family of worms. This group of worms spreads via email and P2P file sharing programs. They also end the processes belonging to antivirus programs and other security applications, such as firewalls and system monitoring tools, leaving computers vulnerable to attack from other malware.
The third worm in today’s report is JPGTrojan.D, a program that allows JPG images to be created, which exploits the Buffer Overrun in JPEG processing vulnerability (described in the Microsoft bulletin MS04-028).
The effects of opening an image created by JPGTrojan.D include specifying that a port must be opened, allowing remote access to the affected computer, and downloading an executable file from the Internet and running it on the affected computer.
Funner.A is a worm that spreads through MSN Messenger and modifies the HOSTS file, preventing the user from accessing certain websites. What’s more, in Windows Me/98/95 computers, it changes the SYSTEM.INI file, to ensure that it is run whenever the computer starts up, and overwrites the RUNDLL32.EXE file and replaces it with a copy of itself.
We are going to finish today’s report with Nemsi.A, a virus that does not spread automatically using its own means. It reaches computers when previously infected files are distributed, which can enter computers through any of the usual means of transmission (floppy disks, CD-ROMs, email messages with infected attachment, IRC channels, etc.).
Nemsi.A infects EXE files by inserting its code at the beginning of them (prepending). After it has infected a computer, this virus changes the icon of the infected EXE files. If it is run on September 13, it causes a general protection fault (blue screen) in Windows.