[virusinfo] Oxygen3 24h-365d [Netsky.V is downloaded from computers that it h as previously infected - 04/16/04]

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Fri, 16 Apr 2004 20:10:20 -0700

From; PANDA Oxygen3 24h-365d:

"Each problem that I solved became a rule, 
           which served afterwards to solve other problems."
 R. Descartes (1596-1650); French philosopher, scientist and mathematician.

 - Netsky.V is downloaded from computers that it has previously infected -
     Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, April 16, 2004 - Today's Oxygen3 24h-365d focuses on the V variant
of Netsky that, although it has not caused a significant number of
infections, stands out for the means of transmission it uses. Unlike the
majority of worms, Netsky.V does not hide in an attached file and wait for
the user to run it, but exploits a vulnerability to download itself from
another computer that it has already infected.

Nestky.V follows this routine: it opens TCP ports 5556, where an FTP service
is located, and 5557, with an HTTP service, which become servers from which
it can download itself. 

In order to spread, instead of sending an infected file via e-mail, Nestky.V
sends an HTML message that exploits the "ObjectData"(*) vulnerability in
Internet Explorer (which allows code to be run remotely and transparently
without user intervention). When the message sent by Netsky.V is viewed, the
computer connects to another infected computer (through the ports mentioned
above) in order to download an HTML page. This page then downloads a file
carrying the worm via FTP and runs it, thereby infecting the computer.

As well as ensuring that effective and updated antivirus protection is
installed, all users are recommended to keep their systems updated using the
automatic Windows Update service (http://windowsupdate.microsoft.com).

More information about Netsky.V in Panda Software's Virus Encyclopedia at:
http://www.pandasoftware.com/virus_info/encyclopedia/

(*) More information about the vulnerability exploited by Netsky.V, which
was corrected by Microsoft in a patch released in October 2003, at: 
http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

------------------------------------------------------------

Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Oxygen3 24h-365d [Netsky.V is downloaded from computers that it h as previously infected - 04/16/04]

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---