Discussion:
How does NETSKY work?
(too old to reply)
George Del Monte
2004-07-22 22:04:20 UTC
Permalink
Would someone explain, step-by-step, in laymen's terms, how NETSKY,
specifically, the ***@mm version, operates. Reason I ask is because
I've been receiving messages with this version attached and, when I look at
the message header, they all come from one basic IP address. I called the
telephone company (also the ISP) serving the area and the Tech Support guy
said it would be impossible to determine from whose computer the virus was
being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
THE ADDRESSES FROM ITS PREVIOUS HOME. Sorry for the upper case, but this, if
true, is more diabolical than I had known. All I had thought I knew was the
reason for sending itself was to propagate by mass-mailing since it did no
damage to a host computer.
Beauregard T. Shagnasty
2004-07-22 22:22:01 UTC
Permalink
BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL THE
ADDRESSES FROM ITS PREVIOUS HOME.
That can't be true, else the transmitted virus file would never be the
same size.

The virus gets executed on its new host, and searches this new drive
for addresses.
--
-bts
-This space intentionally left blank.
David H. Lipman
2004-07-22 22:33:28 UTC
Permalink
Too well !

Dave




"George Del Monte" <***@ham.net> wrote in message news:ERWLc.39135$***@twister.tampabay.rr.com...
| Would someone explain, step-by-step, in laymen's terms, how NETSKY,
| specifically, the ***@mm version, operates. Reason I ask is because
| I've been receiving messages with this version attached and, when I look at
| the message header, they all come from one basic IP address. I called the
| telephone company (also the ISP) serving the area and the Tech Support guy
| said it would be impossible to determine from whose computer the virus was
| being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
| THE ADDRESSES FROM ITS PREVIOUS HOME. Sorry for the upper case, but this, if
| true, is more diabolical than I had known. All I had thought I knew was the
| reason for sending itself was to propagate by mass-mailing since it did no
| damage to a host computer.
|
|
John Coutts
2004-07-23 14:41:31 UTC
Permalink
Post by George Del Monte
Would someone explain, step-by-step, in laymen's terms, how NETSKY,
I've been receiving messages with this version attached and, when I look at
the message header, they all come from one basic IP address. I called the
telephone company (also the ISP) serving the area and the Tech Support guy
said it would be impossible to determine from whose computer the virus was
being sent BECAUSE WHEN THE VIRUS LANDS IN A NEW HOME IT TAKES WITH IT ALL
THE ADDRESSES FROM ITS PREVIOUS HOME. Sorry for the upper case, but this, if
true, is more diabolical than I had known. All I had thought I knew was the
reason for sending itself was to propagate by mass-mailing since it did no
damage to a host computer.
************** REPLY SEPARATER ***************
Nothing could be further from the truth. The From:, To:, Subject:, and Date:
fields are not reliable, and can be easily forged. I call this the pseudo
header. The real header info is the only thing that is useful:
--------------------------------------------------------------------
Received: from source ([139.142.48.47]) by exprod5mx121.postini.com
([12.158.34.245]) with SMTP;
Wed, 21 Jul 2004 12:17:08 PDT
Received: from VAN06 [209.115.164.90] by mailhost.rewired.net
(SMTPD32-4.07) id A12416E0252; Wed, 21 Jul 2004 13:16:52 MDT
Message-ID: <000501c46f58$fbe0dec0$***@trek.van>
--------------------------------------------------------------------
A line is added each time it goes through an MTA (Mail Transport Agent).
Normally, a client sends an email to his/her mail server, and that mail server
forwards the email to the recipient's mail server. In the above example, the
client at [209.115.164.90] sent the email to his/her mail server at
[139.142.48.47], which in turn forwarded it to [12.158.34.245].

In the case of the Netsky virus, it contains it's own SMTP server, so it sends
the email directly from the infected machine to the recipient's mail server.
Unless you have a complex mail routing system, there should only be one
received line with the Netsky virus. That is the actual source, and the owner
is probably so clueless that they don't even realize they are infected. If the
IP address is always the same, it usually indicates that the person is on a
high speed connection. Unfortunately, without the ISP's cooperation, there is
no way to find out who that person is.

J.A. Coutts
Criminal Element
2004-07-24 00:26:44 UTC
Permalink
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP server,
I don't think so!!
Beauregard T. Shagnasty
2004-07-24 01:16:09 UTC
Permalink
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP
server,
I don't think so!!
I do.

***@mm is a worm that scans for the email addresses on all
non-CD-ROM drives on an infected computer. The worm then uses its own
SMTP engine to send itself to the email addresses that it finds.

http://www.symantec.com/avcenter/venc/data/***@mm.html
--
-bts
-This space intentionally left blank.
Criminal Element
2004-07-24 19:45:00 UTC
Permalink
Post by Beauregard T. Shagnasty
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP
server,
I don't think so!!
I do.
non-CD-ROM drives on an infected computer. The worm then uses its own
SMTP engine to send itself to the email addresses that it finds.
SMTP engine != SMTP server. SMTP engine only does the requisite com
for transfer. Server is different animal.
GSV Three Minds in a Can
2004-07-24 13:33:02 UTC
Permalink
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP server,
I don't think so!!
Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.
--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.
kurt wismer
2004-07-24 15:52:29 UTC
Permalink
Post by GSV Three Minds in a Can
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP server,
I don't think so!!
Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.
the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...

netsky doesn't accept smtp commands from clients, it sends them out...
it does have it's own smtp code but it doesn't play the role of a server...
--
"maxwell can tell he's in hell
just wants you to visit him there
same old game that he's playin'
his rules are never fair"
GSV Three Minds in a Can
2004-07-24 17:27:30 UTC
Permalink
Post by kurt wismer
Post by GSV Three Minds in a Can
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP server,
I don't think so!!
Depends what they meant by 'server'. It certainly sends Emails from
an infected machine, using SMTP, to the ISPs mail server without
invoking the services of Outlook Express, (or any other recognised
Email program). Hence there are no traces of the sent emails in the
places the user would normally see them.
the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...
I know that; but, I repeat, it depends what THEY meant by 'server'. The
NETSKY SMTP handler may be regarded as a server, in so far as it accepts
'send' requests from the virus (one client) and actions them. Yes, this
is stretching the definition .. however people have been known to do
that from time to time.
--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.
kurt wismer
2004-07-25 22:09:13 UTC
Permalink
[snip]
Post by GSV Three Minds in a Can
Post by kurt wismer
the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...
I know that; but, I repeat, it depends what THEY meant by 'server'.
and we should accept people's misuse of technical terms because why?
Post by GSV Three Minds in a Can
The
NETSKY SMTP handler may be regarded as a server, in so far as it accepts
'send' requests from the virus (one client) and actions them.
that's absurd... then all software is a server in some sense or
another... it's all accepting requests from something else...
Post by GSV Three Minds in a Can
Yes, this
is stretching the definition .. however people have been known to do
that from time to time.
that is stretching it too far...
--
"maxwell can tell he's in hell
just wants you to visit him there
same old game that he's playin'
his rules are never fair"
GSV Three Minds in a Can
2004-07-25 22:58:43 UTC
Permalink
Bitstring <7cWMc.4039$***@news20.bellglobal.com>, from the
wonderful person kurt wismer <***@sympatico.ca> said
<snip>
Post by kurt wismer
Post by GSV Three Minds in a Can
Post by kurt wismer
the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...
I know that; but, I repeat, it depends what THEY meant by 'server'.
and we should accept people's misuse of technical terms because why?
Did I say we should accept it?

As you go through life you'll (eventually) discover that attempting to
understand the other guy, even when he is not speaking entirely correct
techno-speak, is generally more productive than shouting 'no that's
wrong', and then having both sides waving their fists about.

Or maybe not .. conflict and confrontation seem to be more in favour
than ever. You'd think after two world wars and numerous 'peace actions'
people might be more willing to work on understanding, but ..
--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.
kurt wismer
2004-07-27 11:57:07 UTC
Permalink
Post by GSV Three Minds in a Can
<snip>
Post by kurt wismer
Post by GSV Three Minds in a Can
Post by kurt wismer
the meaning of 'server' is actually well defined... a server is
something that serves requests from one or more clients...
I know that; but, I repeat, it depends what THEY meant by 'server'.
and we should accept people's misuse of technical terms because why?
Did I say we should accept it?
the essence of "it depends on what they meant" is that you're making
allowances for people to misuse the terminology...

it does not depend on what they meant... if someone says one or more of
the versions of netsky created up to this point has an smtp server in
it that person is technically wrong...
Post by GSV Three Minds in a Can
As you go through life you'll (eventually) discover that attempting to
understand the other guy, even when he is not speaking entirely correct
techno-speak, is generally more productive than shouting 'no that's
wrong', and then having both sides waving their fists about.
allowing errors to go uncorrected is bad for everyone... it leads to a
situation where many people misuse the terminology without knowing it
because those of use with more of a clue are able to mentally replace
those terms with the correct ones and so carry on discussions as though
they had made no error and then they go and spread their technically
misinformed view to others and the public's knowledge base becomes
further polluted...
Post by GSV Three Minds in a Can
Or maybe not .. conflict and confrontation seem to be more in favour
than ever. You'd think after two world wars and numerous 'peace actions'
people might be more willing to work on understanding, but ..
sacrificing correctness for the sake of people's egos is not something
i'm in favour of... there can be no progress without correction
(because we are so often wrong) and peace at the cost of progress is
not a fair trade...
--
"maxwell can tell he's in hell
just wants you to visit him there
same old game that he's playin'
his rules are never fair"
GSV Three Minds in a Can
2004-07-27 13:08:20 UTC
Permalink
Bitstring <jqrNc.10643$***@news20.bellglobal.com>, from the
wonderful person kurt wismer <***@sympatico.ca> said
<snip>
Post by kurt wismer
allowing errors to go uncorrected is bad for everyone... it leads to a
situation where many people misuse the terminology without knowing it
because those of use with more of a clue are able to mentally replace
those terms with the correct ones and so carry on discussions as though
they had made no error and then they go and spread their technically
misinformed view to others and the public's knowledge base becomes
further polluted...
Post by GSV Three Minds in a Can
Or maybe not .. conflict and confrontation seem to be more in favour
than ever. You'd think after two world wars and numerous 'peace
actions' people might be more willing to work on understanding, but ..
sacrificing correctness for the sake of people's egos is not something
i'm in favour of... there can be no progress without correction
(because we are so often wrong) and peace at the cost of progress is
not a fair trade...
As I said, when you grow up you'll eventually realise that being able to
have a peaceful and useful conversation with someone is actually more
important than ensuring they use exactly correct terminology the whole
time. I am quite capable of making progress while talking to someone who
gets the odd term wrong .. heck, the language is constantly being
redefined (by usage) anyway.
--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.
kurt wismer
2004-07-28 23:07:15 UTC
Permalink
[snip]
Post by GSV Three Minds in a Can
Post by kurt wismer
sacrificing correctness for the sake of people's egos is not something
i'm in favour of... there can be no progress without correction
(because we are so often wrong) and peace at the cost of progress is
not a fair trade...
As I said, when you grow up you'll eventually realise that being able to
have a peaceful and useful conversation with someone is actually more
important than ensuring they use exactly correct terminology the whole
time.
usefulness of conversations is in serious question in the presence of
confusion born of sloppy terminology usage... especially when that
sloppy usage is as widespread as it happens to be...
Post by GSV Three Minds in a Can
I am quite capable of making progress while talking to someone who
gets the odd term wrong .. heck, the language is constantly being
redefined (by usage) anyway.
conversation english is, yes, but technical jargon doesn't evolve in
quite the same way...
--
"maxwell can tell he's in hell
just wants you to visit him there
same old game that he's playin'
his rules are never fair"
Criminal Element
2004-07-24 20:17:25 UTC
Permalink
Post by GSV Three Minds in a Can
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP server,
I don't think so!!
Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.
Yes, but John said "In the case of the Netsky virus, it contains it's
own SMTP server, so it sends the email directly from the infected machine
to the recipients mail server." and I think it doesn't do this. From the
ref supplied by Beauregard (The worm attempts to use the infected computers
default DNS server to retrieve the IP address of the email server) its clear
that the next vics >>server<< is not directly accessed by the worm but the
current vics server maybe is or not whatever how would the cuurent vics
computer know the nexts SMTP specially if multi-addressed? The worm has an
"engine" to act as client to SMTP server is all, no?
Criminal Element
2004-07-24 21:25:10 UTC
Permalink
Post by Criminal Element
Post by GSV Three Minds in a Can
Post by Criminal Element
Post by John Coutts
In the case of the Netsky virus, it contains it's own SMTP server,
I don't think so!!
Depends what they meant by 'server'. It certainly sends Emails from an
infected machine, using SMTP, to the ISPs mail server without invoking
the services of Outlook Express, (or any other recognised Email
program). Hence there are no traces of the sent emails in the places the
user would normally see them.
Yes, but John said "In the case of the Netsky virus, it contains it's
own SMTP server, so it sends the email directly from the infected machine
to the recipients mail server." and I think it doesn't do this. From the
ref supplied by Beauregard (The worm attempts to use the infected computers
default DNS server to retrieve the IP address of the email server) its clear
that the next vics >>server<< is not directly accessed by the worm but the
current vics server maybe is or not whatever how would the cuurent vics
computer know the nexts SMTP specially if multi-addressed? The worm has an
"engine" to act as client to SMTP server is all, no?
My bad..........Nettsky does not, but netsky.b+whatever does do target SMTP
server connect. Still,not a server though.:)
Loading...