Technology Info, Tips, FAQs
You Can Use

Virus Information

Netsky.P - Worm Virus

Virus Alert - March 23, 2004

Another new worm started to circulate yesterday, called W32.Netsky.P@mm (also known as W32.Netsky.Q@mm, Win32/Netsky.P@mm, Worm/NetSky.P, W32/Netsky.P.worm).

This new NETSKY variant is very similar to the previous NETSKY variants and to W32.Beagle.O@mm from yesterday's alert.

• This memory-resident, mass-mailing worm runs on Windows 95, 98, ME, NT, 2000 and XP.
  
  
• It propagates via email using its own Simple Mail Transfer Protocol (SMTP) engine.
  
  
• It exploits a known vulnerability affecting Internet Explorer (5.5 or IE 5.01 not patched with SP2 ), which allows the automatic execution of email attachments while an email is read or previewed.
  
  

  PLEASE never use a Reading Pane or an AutoPreview Pane unless your Windows Operating System is fully patched with all the Critical Updates and Service Packs made available to your PC by Microsoft.

  
  
• It attempts to propagate via network shares (Kazaa) by dropping copies of itself on certain folders found in the affected system.

The email has the following characteristics:

From: <Spoofed>     see http://dawn.thot.net/cd/170.html for info on spoofed addresses

Subject: (Some possible subject lines are listed below)

Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification
Mail Delivery (failure <spoofed address>)

Body: (Some possible message bodies are listed below)

Please see the attached file for details
Please read the attached file!
Your document is attached.
Please read the document.
Your file is attached.
Your document is attached.
Please confirm the document.
Please read the important document.
See the file.
Requested file.
Authentication required.
Your document is attached to this mail.
I have attached your document.
I have received your document. The corrected document is attached.
Your document.
Your details.

The worm may also append the following to the message body:

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com

+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com

+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com

+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com

+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com

++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com

++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com

++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Attachments: (Some possible file names are listed below)

• document05
• websites03
• game_xxo
• your_document

Followed by one of the following:

• .txt <a long series of blank spaces>
• .doc <a long series of blank spaces>

Followed by one of the following extensions:

• .exe
• .pif
• .scr
• .zip

Thank you for being extremely vigilant.

See Virus Alert from March 22, 2004

back to Technology Content Index

Return to DAWN Ontario

Events Calendar
events, conferences etc

Featured News & Alerts

What's New
additions to the site indexed daily

Contact Us

Sign our Guestbook!

Website created & maintained
courtesy of Barbara Anello

DAWN Ontario
Box 1138 North Bay, ON P1B 8K4