How does NETSKY work?

[George Del Monte]

Would someone explain, step-by-step, in laymen's terms, how NETSKY,
specifically, the W32.Netsky.K@mm version, operates. Reason I ask is because
I've been receiving messages with this version attached and, when I look at
the message header, they all come from one basic IP address. I called the
telephone company (also the ISP) serving the area and the Tech Support guy
said it would be impossible to determine from whose computer the virus was
being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
THE ADDRESSES FROM ITS PREVIOUS HOME. Sorry for the upper case, but this, if
true, is more diabolical than I had known. All I had thought I knew was the
reason for sending itself was to propagate by mass-mailing since it did no
damage to a host computer.

 

[Beauregard T. Shagnasty]

Quoth the raven George Del Monte:

BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL THE
ADDRESSES FROM ITS PREVIOUS HOME.

That can't be true, else the transmitted virus file would never be the
same size.

The virus gets executed on its new host, and searches this new drive
for addresses.

 

[David H. Lipman]

Too well !

Dave




| Would someone explain, step-by-step, in laymen's terms, how NETSKY,
| specifically, the W32.Netsky.K@mm version, operates. Reason I ask is because
| I've been receiving messages with this version attached and, when I look at
| the message header, they all come from one basic IP address. I called the
| telephone company (also the ISP) serving the area and the Tech Support guy
| said it would be impossible to determine from whose computer the virus was
| being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
| THE ADDRESSES FROM ITS PREVIOUS HOME. Sorry for the upper case, but this, if
| true, is more diabolical than I had known. All I had thought I knew was the
| reason for sending itself was to propagate by mass-mailing since it did no
| damage to a host computer.
|
|

 

[null]

Would someone explain, step-by-step, in laymen's terms, how NETSKY,
specifically, the W32.Netsky.K@mm version, operates. Reason I ask is because
I've been receiving messages with this version attached and, when I look at
the message header, they all come from one basic IP address. I called the
telephone company (also the ISP) serving the area and the Tech Support guy
said it would be impossible to determine from whose computer the virus was
being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
THE ADDRESSES FROM ITS PREVIOUS HOME.

No description I've read suggests anything like that. You can prove to
yourself this is not the case by accumulating (Saving) the attackments
in a test folder and verifying that they're all identical in file
size. The worm only uses addresses it finds on the infested computer.

The tech support guy was giving you a snow job. Contact the management
of the ISP and keep after them until you get results.


Art
http://www.epix.net/~artnpeg

 

[John Coutts]

Would someone explain, step-by-step, in laymen's terms, how NETSKY,
specifically, the W32.Netsky.K@mm version, operates. Reason I ask is because
I've been receiving messages with this version attached and, when I look at
the message header, they all come from one basic IP address. I called the
telephone company (also the ISP) serving the area and the Tech Support guy
said it would be impossible to determine from whose computer the virus was
being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
THE ADDRESSES FROM ITS PREVIOUS HOME. Sorry for the upper case, but this, if
true, is more diabolical than I had known. All I had thought I knew was the
reason for sending itself was to propagate by mass-mailing since it did no
damage to a host computer.

************** REPLY SEPARATER ***************
Nothing could be further from the truth. The From:, To:, Subject:, and Date:
fields are not reliable, and can be easily forged. I call this the pseudo
header. The real header info is the only thing that is useful:
--------------------------------------------------------------------
Received: from source ([139.142.48.47]) by exprod5mx121.postini.com
([12.158.34.245]) with SMTP;
Wed, 21 Jul 2004 12:17:08 PDT
Received: from VAN06 [209.115.164.90] by mailhost.rewired.net
(SMTPD32-4.07) id A12416E0252; Wed, 21 Jul 2004 13:16:52 MDT
Message-ID: <[email protected]>
--------------------------------------------------------------------
A line is added each time it goes through an MTA (Mail Transport Agent).
Normally, a client sends an email to his/her mail server, and that mail server
forwards the email to the recipient's mail server. In the above example, the
client at [209.115.164.90] sent the email to his/her mail server at
[139.142.48.47], which in turn forwarded it to [12.158.34.245].

In the case of the Netsky virus, it contains it's own SMTP server, so it sends
the email directly from the infected machine to the recipient's mail server.
Unless you have a complex mail routing system, there should only be one
received line with the Netsky virus. That is the actual source, and the owner
is probably so clueless that they don't even realize they are infected. If the
IP address is always the same, it usually indicates that the person is on a
high speed connection. Unfortunately, without the ISP's cooperation, there is
no way to find out who that person is.

J.A. Coutts

 

[Criminal Element]

In the case of the Netsky virus, it contains it's own SMTP server,

I don't think so!!

 

[Beauregard T. Shagnasty]

Quoth the raven Criminal Element:

I don't think so!!

I do.

W32.Netsky.AB@mm is a worm that scans for the email addresses on all
non-CD-ROM drives on an infected computer. The worm then uses its own
SMTP engine to send itself to the email addresses that it finds.

http://www.symantec.com/avcenter/venc/data/[email protected]

 

[GSV Three Minds in a Can]

I don't think so!!

Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.

 

[kurt wismer]

Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.

the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...

netsky doesn't accept smtp commands from clients, it sends them out...
it does have it's own smtp code but it doesn't play the role of a server...

 

[GSV Three Minds in a Can]

the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...

I know that; but, I repeat, it depends what THEY meant by 'server'. The
NETSKY SMTP handler may be regarded as a server, in so far as it accepts
'send' requests from the virus (one client) and actions them. Yes, this
is stretching the definition .. however people have been known to do
that from time to time.

 

[Criminal Element]

Quoth the raven Criminal Element:


I do.

W32.Netsky.AB@mm is a worm that scans for the email addresses on all
non-CD-ROM drives on an infected computer. The worm then uses its own
SMTP engine to send itself to the email addresses that it finds.

http://www.symantec.com/avcenter/venc/data/[email protected]

SMTP engine != SMTP server. SMTP engine only does the requisite com
for transfer. Server is different animal.

 

[Frederic Bonroy]

I know that; but, I repeat, it depends what THEY meant by 'server'. The
NETSKY SMTP handler may be regarded as a server, in so far as it accepts
'send' requests from the virus (one client) and actions them. Yes, this
is stretching the definition .. however people have been known to do
that from time to time.

Then my newsreader is a server too since its NNTP component accepts
requests from the non-NNTP part...?

Is my browser an HTTP-server? Certainly according to your definition,
since its HTTP handler accepts requests from the non-HTTP part...


If Netsky were a server, I could configure my email program to send
emails via Netsky. Sounds weird? Yes... On the other hand, the SMTP
engines certainly aren't regular clients either since they can contact
the mail exchangers directly and do not have to go through "normal" SMTP
servers. Though they are closer to being clients than to being servers.

 

[Criminal Element]

Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.

Yes, but John said "In the case of the Netsky virus, it contains it's
own SMTP server, so it sends the email directly from the infected machine
to the recipients mail server." and I think it doesn't do this. From the
ref supplied by Beauregard (The worm attempts to use the infected computers
default DNS server to retrieve the IP address of the email server) its clear
that the next vics >>server<< is not directly accessed by the worm but the
current vics server maybe is or not whatever how would the cuurent vics
computer know the nexts SMTP specially if multi-addressed? The worm has an
"engine" to act as client to SMTP server is all, no?

 

[Bart Bailey]

Then my newsreader is a server too since its NNTP component accepts
requests from the non-NNTP part...?

Is my browser an HTTP-server? Certainly according to your definition,
since its HTTP handler accepts requests from the non-HTTP part...


If Netsky were a server, I could configure my email program to send
emails via Netsky. Sounds weird? Yes... On the other hand, the SMTP
engines certainly aren't regular clients either since they can contact
the mail exchangers directly and do not have to go through "normal" SMTP
servers. Though they are closer to being clients than to being servers.

Isn't the SMTP "engine" of netsky just a subroutine that calls the
winsock and sends the output from the worm through it?
By its being dedicated to providing this action for a specific
application under a specific circumstance, would seem to defy
conventional server/client terminology applicable to random sources.
Maybe a better term would be "internal SMTP component"?

 

[Criminal Element]

Yes, but John said "In the case of the Netsky virus, it contains it's
own SMTP server, so it sends the email directly from the infected machine
to the recipients mail server." and I think it doesn't do this. From the
ref supplied by Beauregard (The worm attempts to use the infected computers
default DNS server to retrieve the IP address of the email server) its clear
that the next vics >>server<< is not directly accessed by the worm but the
current vics server maybe is or not whatever how would the cuurent vics
computer know the nexts SMTP specially if multi-addressed? The worm has an
"engine" to act as client to SMTP server is all, no?

My bad..........Nettsky does not, but netsky.b+whatever does do target SMTP
server connect. Still,not a server though.

 

[kurt wismer]

Bitstring <[email protected]>, from the
wonderful person kurt wismer <[email protected]> said [snip]

the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...

I know that; but, I repeat, it depends what THEY meant by 'server'.

and we should accept people's misuse of technical terms because why?

The
NETSKY SMTP handler may be regarded as a server, in so far as it accepts
'send' requests from the virus (one client) and actions them.

that's absurd... then all software is a server in some sense or
another... it's all accepting requests from something else...

Yes, this
is stretching the definition .. however people have been known to do
that from time to time.

that is stretching it too far...

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the

and we should accept people's misuse of technical terms because why?

Did I say we should accept it?

As you go through life you'll (eventually) discover that attempting to
understand the other guy, even when he is not speaking entirely correct
techno-speak, is generally more productive than shouting 'no that's
wrong', and then having both sides waving their fists about.

Or maybe not .. conflict and confrontation seem to be more in favour
than ever. You'd think after two world wars and numerous 'peace actions'
people might be more willing to work on understanding, but ..

 

[kurt wismer]

Bitstring <[email protected]>, from the
wonderful person kurt wismer <[email protected]> said


Did I say we should accept it?

the essence of "it depends on what they meant" is that you're making
allowances for people to misuse the terminology...

it does not depend on what they meant... if someone says one or more of
the versions of netsky created up to this point has an smtp server in
it that person is technically wrong...

As you go through life you'll (eventually) discover that attempting to
understand the other guy, even when he is not speaking entirely correct
techno-speak, is generally more productive than shouting 'no that's
wrong', and then having both sides waving their fists about.

allowing errors to go uncorrected is bad for everyone... it leads to a
situation where many people misuse the terminology without knowing it
because those of use with more of a clue are able to mentally replace
those terms with the correct ones and so carry on discussions as though
they had made no error and then they go and spread their technically
misinformed view to others and the public's knowledge base becomes
further polluted...

Or maybe not .. conflict and confrontation seem to be more in favour
than ever. You'd think after two world wars and numerous 'peace actions'
people might be more willing to work on understanding, but ..

sacrificing correctness for the sake of people's egos is not something
i'm in favour of... there can be no progress without correction
(because we are so often wrong) and peace at the cost of progress is
not a fair trade...

 

[GSV Three Minds in a Can]

Bitstring <[email protected]>, from the

allowing errors to go uncorrected is bad for everyone... it leads to a
situation where many people misuse the terminology without knowing it
because those of use with more of a clue are able to mentally replace
those terms with the correct ones and so carry on discussions as though
they had made no error and then they go and spread their technically
misinformed view to others and the public's knowledge base becomes
further polluted...


sacrificing correctness for the sake of people's egos is not something
i'm in favour of... there can be no progress without correction
(because we are so often wrong) and peace at the cost of progress is
not a fair trade...

As I said, when you grow up you'll eventually realise that being able to
have a peaceful and useful conversation with someone is actually more
important than ensuring they use exactly correct terminology the whole
time. I am quite capable of making progress while talking to someone who
gets the odd term wrong .. heck, the language is constantly being
redefined (by usage) anyway.

 

[kurt wismer]

Bitstring <[email protected]>, from the
wonderful person kurt wismer <[email protected]> said [snip]

sacrificing correctness for the sake of people's egos is not something
i'm in favour of... there can be no progress without correction
(because we are so often wrong) and peace at the cost of progress is
not a fair trade...

As I said, when you grow up you'll eventually realise that being able to
have a peaceful and useful conversation with someone is actually more
important than ensuring they use exactly correct terminology the whole
time.

usefulness of conversations is in serious question in the presence of
confusion born of sloppy terminology usage... especially when that
sloppy usage is as widespread as it happens to be...

I am quite capable of making progress while talking to someone who
gets the odd term wrong .. heck, the language is constantly being
redefined (by usage) anyway.

conversation english is, yes, but technical jargon doesn't evolve in
quite the same way...