fROM; Sophos Alert System: Name: W32/Netsky-V Aliases: I-Worm.NetSky.w, W32/Netsky.v@MM, W32.Netsky.V@mm, HTML/Debeski Type: Win32 worm Date: 20 April 2004 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the June 2004 (3.82) release of Sophos Anti-Virus. Enterprise Manager and PureMessage customers will be automatically protected at their next scheduled update. At the time of writing, Sophos has received just one report of this worm from the wild. Note: Sophos has been detecting W32/Netsky-V since 01:00 GMT on 15 April. This new IDE has been issued to enhance detection. Information about W32/Netsky-V can be found at: http://www.sophos.com/virusinfo/analyses/w32netskyv.html Description W32/Netsky-V is a worm which uses a combination of email, HTTP and FTP to spread. The worm itself is a Windows program (EXE) file. W32/Netsky-V searches your hard disk for email addresses and sends email directly to them. Note that these emails do not contain an attached copy of W32/Netsky-V. Instead, they contain HTML instructions to fetch a copy of the worm. The emails use a subject and message randomly selected from the following: Subject line: Mail Delivery Sytem failure Mail delivery failed Server Status failure Gateway Status failure Visible message text: The processing of this message can take a few minutes... Converting message. Please wait... Please wait while loading failed message... Please wait while converting the message... W32/Netsky-V opens up two TCP ports on your computer. An HTTP service listens on port 5557 and an FTP service listens on port 5556. These ports are used to "serve up" the virus to downstream victims to whom you have sent copies of the email mentioned above. Downstream victims can become infected simply by reading an email sent by the virus. Note, however, that this email relies on a bug in Microsoft Outlook for which a patch has already been published. If you have downloaded and applied up-to-date patches from Microsoft, then the exploit used by this email will not work and the email is harmless. If your computer has an unpatched copy of Outlook, the W32/Netsky-V email makes an HTTP (web) connection back to port 5557 on the computer which sent you the email. This web connection is used to download a second HTML script. This script in turn exploits a second bug in Outlook to make an FTP connection back to port 5556. The FTP connection is used to download, install and run the W32/Netsky-V worm. W32/Netsky-V is installed into your Windows folder with the name KasperskyAVEng.exe. The worm adds the registry value: KasperskyAVEng to the registry key: HLKM\Software\Microsoft\Windows\CurrentVersion\Run so that it runs automatically every time you logon to your computer. Between 22 April 2004 and 28 April 2004, W32/Netsky-V mounts a denial of service attack against the following sites: www.keygen.us www.freemule.net www.kazaa.com www.emule.de www.cracks.am The denial of service consists of four redundant HTML requests to each of these sites every second. Recovery Please follow the instructions for removing worms. Download the IDE file from: http://www.sophos.com/downloads/ide/netsky-v.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html --------------------------------------------------------------------- Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member