- 30 March 2004 10:37
New NetSky variant – Network Associates McAfee AVERT raises risk assessment to medium on new W32/Netsky.q@MM worm
McAfee AVERT Researchers Receive More Than 100 Reports of the Virus
Sydney, 30 March 2004 - Network Associates today announced that McAfee AVERT Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus and vulnerability research division of Network Associates, raised the risk assessment to medium on the recently discovered also known as Netsky.q. Netsky.q is a prolific worm that spreads via email, sending itself to addresses found on the victim’s machine. The worm has many of the same functionalities as its Netsky predecessors, five of which are also currently rated a medium risk threat. To date, McAfee AVERT reports more than 100 reports of the virus being stopped or infecting users from the field—with the most number of infected files being reported from Japan. McAfee AVERT has also received reports of the virus being stopped or infecting users in Europe.
Symptoms Netsky.q is an Internet worm that once activated emails itself to addresses found on the victim’s machine. The worm then attempts to copy itself to folders on drive C: and it takes advantage the MS01-020 vulnerability announced (and patched) by Microsoft in 2001. This vulnerability allows the auto execution of files attached in email on systems running Microsoft Internet Explorer 5.01 or 5.5 without Service Pack 2. More information and the update can be found at http://www.microsoft.com/technet/security/bulletin/MS01-020.mspx.
McAfee AVERT strongly users to update their systems and also delete any email containing the following examples:
Subject: • Mail Delivery System (%recipient email address %) • Status (%recipient email address %) • Unknown Exception (%recipient email address %) • Mail System (%recipient email address %) • Server Error (%recipient email address %) • Delivery Failure (%recipient email address %) Body: • Mail Delivery Error - This mail contains unicode characters • Mail Delivery System - This mail contains binary characters • Received message has been sent as an encoded attachment. • Delivery Agent - Translation failed • Mail Transaction Failed - This mail couldn't be converted • Delivery Agent - Translation failed • Mail Delivery - This mail couldn't be displayed There are additional subject lines and body text used. More information can be found in the description at the McAfee AVERT Web site noted below.
Pathology After being executed, Netsky.q emails itself out as a .ZIP or .PIF attachment with a filename taken from strings within the worm. The worm then copies itself the WINDOWS directory with the filename ‘SysMonXP.exe.” The worm adds a registry key that helps it activate at the system start-up.
Cure Immediate information and the cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101145.htm.
Users of McAfee Security products should update their systems from that page. McAfee AVERT recommends that McAfee Security users access that site to update to the 4345 DATs and the 4240 or later scanning engine to stop potential damage.
Network Associates McAfee Protection-in-Depth Strategy delivers the industry’s only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy. McAfee AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.
About Network Associates With headquarters in Santa Clara, California, Network Associates, Inc. (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached at 972-963-8000 or on the Internet at http://www.networkassociates.com/. # # #
NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. 2004 Networks Associates Technology, Inc. All Rights Reserved.