Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 6789 (tcp/udp) Attack Activity - Internet Security | DShield Port 6789 (tcp/udp) Attack Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
Port Information
Protocol Service Name
tcp ibm-db2-admin dB2 Web Control Center
[get complete service list]
Port diary mentions
URL
UPDATED x1: Mirai Scanning for Port 6789 Looking for New Victims Now hitting tcp23231
Ongoing Scans Below the Radar
User Comments
Submitted By Date
Comment
YuYiYing 2004-04-29 15:54:35
Internet Worm Summary Internet Worm Name Risk Assessment W32/Netsky.s@MM Corporate User : Medium Home User : Medium Internet Worm Information Discovery Date: 04/05/2004 Origin: Unknown Length: 18,432 bytes (UPX packed) Type: Internet Worm SubType: E-mail worm Minimum DAT: 4348 (04/06/2004) Updated DAT: 4354 (04/28/2004) Minimum Engine: 4.2.40 Description Added: 04/05/2004 Description Updated: 04/07/2004 1:31 PM (PT) Internet Worm Characteristics -- Update April 6th, 2004 -- Due to increased prevalence, this threat has had its risk assessment raised to Medium. If you think that you may be infected with Netsky.s, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present. This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information). Note: Receiving an email alert stating that the virus came from your email address is not an indication that you are infected as the virus often forges the from address. -- Update April 05, 2004 -- The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.eweek.com/article2/0,1759,1561746,00.asp This variant of W32/Netsky@MM bears similarities to the previous members of this family. The worm bears the following characteristics: constructs messages using its own SMTP engine harvests email addresses from the victim machine spoofs the From: address of messages opens a port on the victim machine (TCP 6789) delivers a DoS attack on certain web sites upon a specific date condition Mail Propagation Email addresses are harvested from the victim machine. Files with the following extensions are searched: .adb .asp .cfg .cgi .dbx .dhtm .doc .eml .htm .html .jsp .mbx .mdx .mht .mmf .msg .nch .ods .oft .php .pl .ppt .rtf .sht .shtm .stm .tbb .txt .uin .vbs .wsh .wab .xls .xml Constructed messages bear the following characteristics: From: this is spoofed (using harvested email addresses) Subject: various subject lines may be used, for example: Hello! Hi! Re: Important Important Re: My details My details Re: Your information Your information Re: Your details Your details Re: Your document Your document Re: Request Request Re: Thanks you! Thank you! Re: Approved Approved Re: Hello Re: Hi Hello Hi Body: various message bodies may be constructed using a pool of strings within the worm: Attachment: The attachment has a .PIF extension. The filename is constructed from one of the following strings, with a random number appended to it: account postcard sample developement concept story report icq_number e-mail phone_number personal_message photo_document order important_document diggest final_version release answer bill notice requested_document description summary picture_document movie_document approved_document old_document document mail letter homepage detailed_document powerpoint_document excel_document word_document info information text new_document textfile user_list improved_file secound_document file number_list contact_list message note improved_document details instructions presentation_document abuse_list archive corrected_document list approved_file Example: Denial of Service If the local system date is between April 14th and April 23rd when the worm starts up, it targets the following remote servers in a denial of service attack: www.keygen.us www.freemule.net www.kazaa.com www.emule.de www.cracks.am System Changes The worm installs itself on the victim machine as EASYAV.EXE in the Windows directory. For example: %WinDir%\EASYAV.EXE The following Registry key is added to hook system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "EasyAV" = %WinDir%\EASYAV.EXE A base-64 encoded copy of the worm is saved to disk as UINMZERTINMDS.OPM in the Windows directory: %WinDir%\UINMZERTINMDS.OPM Remote Access Component The worm opens port 6789 (TCP) on the victim machine. This facilitates the downloading and execution of files. Symptoms Outgoing DNS query to one of the following DNS servers (IP list carried within the worm): 212.44.160.8 195.185.185.195 151.189.13.35 213.191.74.19 193.189.244.205 145.253.2.171 193.141.40.42 194.25.2.134 194.25.2.133 194.25.2.132 194.25.2.131 193.193.158.10 212.7.128.165 212.7.128.162 193.193.144.12 217.5.97.137 195.20.224.234 194.25.2.130 194.25.2.129 212.185.252.136 212.185.253.70 212.185.252.73 Existence of the files/Registry keys detailed above TCP port 6789 open on the victim machine Method Of Infection This worm spreads by email, constructing messages using its own SMTP engine. Removal Instructions All Users The current engine/DAT files are requried for detection and removal. Additional Windows ME/XP removal considerations Stinger Stinger has been updated to assist in detecting and repairing this threat. Manual Removal Instructions To remove this virus "by hand", follow these steps: Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. Delete the following files from the infected machine: %WinDir%\EASYAV.EXE %WinDir%\UINMZERTINMDS.OPM Edit the registry Remove the following Registry key which the worm adds to hook system startup: HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\ CurrentVersion\Run "EasyAV" = %WinDir%\EASYAV.EXE Reboot the system into default mode McAfee Threatscan Detection of the W32/Netsky.s@MM virus is available in the generic Netsky detection module. ThreatScan signatures that can detect the W32/Netsky.s@MM virus are available from: Threatscan 2.5 - ftp.nai.com/pub/security/tsc25/updates/winnt ftp.nai.com/pub/security/tsc25/updates/winnt ftp.nai.com/pub/security/tsc25/updates/winnt Threatscan 2.0/2.1 - ftp.nai.com/pub/security/tsc20/updates/winnt ThreatScan Signature version: 2004-04-06 ThreatScan users can detect the virus by running a ThreatScan task using the following settings: Select the "Remote Infection Detection" category and "Windows Virus Checks" template. -or- Select the "Other" category and "Scan All Vulnerabilities" template. For additional information: Run the "ThreatScan Template Report" Look for module number #4066 Variants Name Type Sub Type Differences no known variants Aliases Name W32/Netsky-S (Sophos) W32/Netsky.S.worm (Panda) WORM_NETSKY.S (Trend)
Add a comment
CVE Links
CVE # Description