From; PANDA Oxygen3 24h-365d: "Each problem that I solved became a rule, which served afterwards to solve other problems." R. Descartes (1596-1650); French philosopher, scientist and mathematician. - Netsky.V is downloaded from computers that it has previously infected - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, April 16, 2004 - Today's Oxygen3 24h-365d focuses on the V variant of Netsky that, although it has not caused a significant number of infections, stands out for the means of transmission it uses. Unlike the majority of worms, Netsky.V does not hide in an attached file and wait for the user to run it, but exploits a vulnerability to download itself from another computer that it has already infected. Nestky.V follows this routine: it opens TCP ports 5556, where an FTP service is located, and 5557, with an HTTP service, which become servers from which it can download itself. In order to spread, instead of sending an infected file via e-mail, Nestky.V sends an HTML message that exploits the "ObjectData"(*) vulnerability in Internet Explorer (which allows code to be run remotely and transparently without user intervention). When the message sent by Netsky.V is viewed, the computer connects to another infected computer (through the ports mentioned above) in order to download an HTML page. This page then downloads a file carrying the worm via FTP and runs it, thereby infecting the computer. As well as ensuring that effective and updated antivirus protection is installed, all users are recommended to keep their systems updated using the automatic Windows Update service (http://windowsupdate.microsoft.com). More information about Netsky.V in Panda Software's Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/encyclopedia/ (*) More information about the vulnerability exploited by Netsky.V, which was corrected by Microsoft in a patch released in October 2003, at: http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. ------------------------------------------------------------ Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member