Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Threat Advisory: McAfee AVERT Raises Risk Assessment to Medium on New Netsky.AG@MM Virus

  • 15 October, 2004 09:41

<p>McAfee AVERT Reports New Netsky Virus In-the-Wild</p>
<p>SYDNEY, October 15, 2004 — McAfee, Inc. the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of McAfee, raised the risk assessment to Medium on the recently discovered W32/Netsky.ag@MM, also known as Netsky.ag. This new variant is a prolific worm that spreads via email, sending itself to addresses found on the victim’s machine. McAfee AVERT researchers have received over 100 samples of Netsky.ag from both real customer submissions and virus-generated mail—with most of the samples reported to be from Brazil and Argentina.</p>
<p>Threat Overview
Netsky.ag is a mass mailing threat that contains its own SMTP engine to construct outgoing messages. It harvests addresses from local files and then uses the harvested addresses in the ‘From’ field to send itself. This produces a message with a spoofed From address. When run, the worm displays a message box, “File corrupted replace this!” Users should be very wary and should most likely delete any email containing the following:</p>
<p>From: (address is spoofed)</p>
<p>Subject: (one of the following)</p>
<p>· 0123456789</p>
<p>· Abra rapido isso!!!!</p>
<p>· acrdito que em voce!!!</p>
<p>· algo a mais</p>
<p>· AmaVoce</p>
<p>· amor me liga</p>
<p>· AninhaPutinha +55operado6992292246</p>
<p>· arquivo zipado PGP???</p>
<p>· Boleto Pague</p>
<p>· campanhadafome</p>
<p>· encontro voce!</p>
<p>· estou doente veja!!!</p>
<p>· falea verdade!!!</p>
<p>· ferias nos E.U.A</p>
<p>· ganhe muita grana</p>
<p>· gostaria disso e voce???</p>
<p>· grana</p>
<p>· Hackers do Brasil</p>
<p>· Lembra?</p>
<p>· me diz o queacha?</p>
<p>· me veja peladinha</p>
<p>· Medical Labs Exames!!!</p>
<p>· meu telefone liga</p>
<p>· olha que isso!!!</p>
<p>· parabens!</p>
<p>· PizzaVeneza!</p>
<p>· Policia SP</p>
<p>· pq nao me liga??</p>
<p>· preenche ai ta bom</p>
<p>· promocao de viajens de fim de ano</p>
<p>· Proposta de emprego!!</p>
<p>· receitas de bolo!!</p>
<p>· retorna logo isso!!</p>
<p>· reza de sao tome!!!!.</p>
<p>· sinto voce!!</p>
<p>· sua conta bancaria zerada</p>
<p>· Sua Conta!!</p>
<p>· Surto :(</p>
<p>· te amo!</p>
<p>· tudo sobre voce sabe</p>
<p>· Vacina contra o HIV!!</p>
<p>· ve ai logo ta</p>
<p>· veja detalhes!!!.</p>
<p>· veja o que tem no zip e me liga</p>
<p>· voce passou :D!!!</p>
<p>Body Text: (one of the following)</p>
<p>· PizzaVeneza!</p>
<p>· preenche ai ta bom</p>
<p>· encontro voce!</p>
<p>· veja detalhes!!!.</p>
<p>· reza de sao tome!!!!.</p>
<p>· Abra rapido isso!!!!</p>
<p>· AmaVoce</p>
<p>· AMA!</p>
<p>· ve ai logo ta</p>
<p>· voce passou :D!!!</p>
<p>· arquivo zipado PGP???</p>
<p>· retorna logo isso!!</p>
<p>· me diz o queacha?</p>
<p>· estou doente veja!!!</p>
<p>· Proposta de emprego!!</p>
<p>· tudo sobre voce sabe</p>
<p>· promocao de viajens de fim de ano</p>
<p>· acrdito que em voce!!!</p>
<p>· receitas de bolo!!</p>
<p>· veja o que tem no zip e me liga</p>
<p>· Boleto Pague</p>
<p>· Sua Conta!!</p>
<p>· Policia SP</p>
<p>· te amo!</p>
<p>· parabens!</p>
<p>· olha que isso!!!</p>
<p>· sua conta bancaria zerada</p>
<p>· Vacina contra o HIV!!</p>
<p>· Surto :(</p>
<p>· ferias nos E.U.A</p>
<p>· meu telefone liga</p>
<p>· Medical Labs Exames!!!</p>
<p>· Hackers do Brasil</p>
<p>· amor me liga</p>
<p>· Lembra?</p>
<p>· grana</p>
<p>· sinto voce!!</p>
<p>· pq nao me liga??</p>
<p>· vaca</p>
<p>· campanhadafome</p>
<p>· ganhe muita grana</p>
<p>· falea verdade!!!</p>
<p>· algo a mais</p>
<p>· gostaria disso e voce???</p>
<p>· me veja peladinha</p>
<p>Threat Pathology
Netsky.ag copies itself to local folders containing string share or sharing, network shares and P2P shared folders. After being executed, the worm copies itself into the Windows System directory (%WinDir%\MsnMsgrs.exe). The following Registry key is added to hook system startup:</p>
<p>HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev
The worm then emails itself to addresses found on the infected host as a .PIF, .COM, .SCR, .BAT, or .ZIP file.</p>
<p>System Protection and Cure
More information on Netsky.ag and cure for this worm can be found online at the McAfee AVERT site located at http://vil.nai.com/vil/content/v_128905.htm. McAfee AVERT is advising its customers to update to the 4399 DATs to stay protected from all the current Netsky threats.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus research with intrusion prevention and vulnerability research expertise from the McAfee IntruShield and McAfee Entercept organisations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>McAfee, Inc., headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions. McAfee’s market-leading security products and services help large, medium and small businesses, government agencies, and consumers prevent intrusions on networks and protect computer systems from critical threats. Additionally, through the Foundstone Professional Services division, leading security consultants provide security expertise and best practices for organisations. For more information, McAfee, Inc. can be reached on the Internet at http://www.mcafee.com/.</p>
<p># # #</p>
<p>NOTE: McAfee, AVERT, IntruShield and Entercept are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. The colour red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2004 Networks Associates Technology, Inc. All Rights Reserved.</p>
<p>For further information please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>E-mail: natalie.connor@text100.com.au</p>

Most Popular

Market Place