Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Virus Advisory: McAfee AVERT Raises Risk Assessment to Medium on New W32/Netsky.p@MM Worm

  • 23 March, 2004 10:54

<p>For further information or to arrange an interview, please contact myself on the details below:</p>
<p>Natalie Connor</p>
<p>Text 100</p>
<p>Tel: +61 (0) 2 9956 5733</p>
<p>Email: nataliec@text100.com.au</p>
<p>McAfee AVERT Raises Risk Assessment on W32/Netsky.p@MM Due to Increased Prevalence</p>
<p>SYDNEY, March 23 - Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus and vulnerability research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Netsky.p@MM, also known as Netsky.p. Netsky.p is a prolific worm that spreads via email, sending itself to addresses found on the victim's machine. The worm has many of the same functionalities as its Netsky predecessors, three of which are also currently rated a medium risk threat. McAfee AVERT researchers first saw the worm earlier today and to date, have received more than 100 reports of Netsky.p from both real customer submissions and virus-generated mail from customers around the world.</p>
<p>Most of the Netsky.p reports that McAfee AVERT has seen are from customers versus the virus itself, which is spoofing the addresses and spreading the virus. This is the case with most viruses at this point, the three most prevalent families being Mydoom, Bagle and Netsky.</p>
<p>Symptoms</p>
<p>Netsky.p is an Internet worm that once activated emails itself to addresses found on the victim's machine. The worm then attempts to copy itself to folders on drives C: through Z: and it takes advantage the MS01-020 vulnerability announced (and patched) by Microsoft in 2001. This vulnerability allows the auto execution of files attached in email on systems running Microsoft Internet Explorer 5.01 or 5.5 without Service Pack 2. More information and the update can be found at</p>
<p>http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx.</p>
<p>McAfee AVERT strongly users to update their systems and also delete any email containing the following:</p>
<p>From: (forged address taken from infected system)</p>
<p>Subject: (Taken from the following list)</p>
<p>-- Stolen document</p>
<p>-- Re:Hello</p>
<p>-- Mail Delivery (failure sender address)</p>
<p>-- Private document</p>
<p>-- Re:Notify</p>
<p>-- Re:document</p>
<p>-- Re:Extended Mail System</p>
<p>-- Re:Proctected Mail System</p>
<p>-- Re:Question</p>
<p>-- Private document</p>
<p>-- Postcard</p>
<p>Body: (Taken from the following list)</p>
<p>-- I found this document about you.</p>
<p>-- I have attached it to this mail.</p>
<p>-- Waiting for authentification.</p>
<p>-- Please confirm!</p>
<p>-- Protected message is available</p>
<p>-- Do not visit this illegal websites!</p>
<p>-- Here is my phone number.</p>
<p>-- I cannot believe that.</p>
<p>-- Your file is attached.</p>
<p>-- For further details see that attachment.</p>
<p>-- Congratulations!, your best friend.</p>
<p>-- Greetings from france, your friend.</p>
<p>-- If the message will not displayed automatically, follow the link</p>
<p>to read the delivered message.</p>
<p>Received message is available at:(forged web link. )</p>
<p>Pathology</p>
<p>After being executed, Netsky.p emails itself out as a .ZIP attachment with a filename taken from strings within the worm. It queries the DNS server for the MX record and connects directly to the Mail Transfer Agent (MTA) of the targeted domain and sends the message. The worm then copies itself the WINDOWS directory with the filename "FVProtect.exe." The worm adds a registry key that helps it activate at the system start-up.</p>
<p>Cure</p>
<p>Immediate information and the cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101119.htm. Users of McAfee Security products should update their systems from that page. Generic protection, which also protects users against the W32/Netsky.c@MM variant, has been available with the 4340 or later scanning engine to stop potential damage.</p>
<p>Network Associates McAfee Protection-in-Depth Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus research organisations in the world, employing more than 90 researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at http://www.networkassociates.com/.</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. (c)2004 Networks Associates Technology, Inc. All Rights Reserved.</p>
<p>##ENDS##</p>

Most Popular

Market Place