[virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-V

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 20 Apr 2004 10:18:13 -0700

fROM; Sophos Alert System:

Name: W32/Netsky-V
Aliases: I-Worm.NetSky.w, W32/Netsky.v@MM, W32.Netsky.V@mm, HTML/Debeski
Type: Win32 worm
Date: 20 April 2004

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the June 2004 (3.82) release of Sophos Anti-Virus.

Enterprise Manager and PureMessage customers will be
automatically protected at their next scheduled update.

At the time of writing, Sophos has received just one report of
this worm from the wild.


Note: Sophos has been detecting W32/Netsky-V since 01:00 GMT on
15 April. This new IDE has been issued to enhance detection.

Information about W32/Netsky-V can be found at:
http://www.sophos.com/virusinfo/analyses/w32netskyv.html
Description 
W32/Netsky-V is a worm which uses a combination of email, HTTP and FTP to
spread. The worm itself is a Windows program (EXE) file. 
W32/Netsky-V searches your hard disk for email addresses and sends email
directly to them. Note that these emails do not contain an attached copy of
W32/Netsky-V. Instead, they contain HTML instructions to fetch a copy of the
worm. The emails use a subject and message randomly selected from the
following: 

Subject line:
Mail Delivery Sytem failure
Mail delivery failed
Server Status failure
Gateway Status failure 

Visible message text:
The processing of this message can take a few minutes...
Converting message. Please wait...
Please wait while loading failed message...
Please wait while converting the message... 

W32/Netsky-V opens up two TCP ports on your computer. An HTTP service
listens on port 5557 and an FTP service listens on port 5556. These ports
are used to "serve up" the virus to downstream victims to whom you have sent
copies of the email mentioned above. 

Downstream victims can become infected simply by reading an email sent by
the virus. Note, however, that this email relies on a bug in Microsoft
Outlook for which a patch has already been published. If you have downloaded
and applied up-to-date patches from Microsoft, then the exploit used by this
email will not work and the email is harmless. 

If your computer has an unpatched copy of Outlook, the W32/Netsky-V email
makes an HTTP (web) connection back to port 5557 on the computer which sent
you the email. This web connection is used to download a second HTML script.
This script in turn exploits a second bug in Outlook to make an FTP
connection back to port 5556. The FTP connection is used to download,
install and run the W32/Netsky-V worm. 

W32/Netsky-V is installed into your Windows folder with the name
KasperskyAVEng.exe. The worm adds the registry value: 

KasperskyAVEng 

to the registry key: 

HLKM\Software\Microsoft\Windows\CurrentVersion\Run 

so that it runs automatically every time you logon to your computer. 

Between 22 April 2004 and 28 April 2004, W32/Netsky-V mounts a denial of
service attack against the following sites: 

www.keygen.us
www.freemule.net
www.kazaa.com
www.emule.de
www.cracks.am 

The denial of service consists of four redundant HTML requests to each of
these sites every second. 
 
 
Recovery 
Please follow the instructions for removing worms. 

Download the IDE file from:
http://www.sophos.com/downloads/ide/netsky-v.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
---------------------------------------------------------------------
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-V
• » [virusinfo] Sophos Anti-Virus IDE alert: W32/Netsky-V

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---