Bugsalert.com
Security News about Viruses, Spyware,
Trojans, Malware, XSS attacks.
Home | Sitemap

WORM_NETSKY.P
BugsAlert Home > WORM_NETSKY.P
 
 

This NETSKY worm spreads by sending out copies of itself as email attachment using its built-in SMTP engine. It gathers target recipients from certain files found on the affected machine, virtually turning the affected system into a propagation launch pad.

The email it sends out has a spoofed sender's name, varying subjects, message bodies and attachments, and generally mimics email delivery notifications. For complete details about the email that this worm sends out, please click here.

To extend its reach and maximize its distribution potential, this worm employs the following:

  • Social engineering

    Like most mass-mailing worm programs, this worm employs social engineering to get through that most critical barrier to propagation, which is getting the target recipient to open the infected email and execute the attachment.

    It uses an email message that takes the form of an email delivery notification (which is typical of most NETSKY worms) to trick the user into thinking that the email is from a valid source. Social engineering not only aids the worm in getting the target recipient to open the infected email, it also allows the worm to evade content filters or scanners.

    For complete details about the email that this worm sends out, please click here.

  • Built-in SMTP engine

    This worm also uses its built-in SMTP (Simple Mail Transfer Protocol) engine for easy propagation, allowing the worm to send email without having to rely on other email applications to spread. Most mass-mailing worm programs have built-in SMTP engines to facilitate easy propagation.

  • Incorrect MIME Header Vulnerability (MS01-020)

    This worm also exploits the Incorrect MIME Header vulnerability to propagate. The vulnerability allows the automatic execution of attachments, while an email is viewed or previewed and affects Internet Explorer 5.1 and 5.5.

    For a detailed discussion of the Incorrect MIME Header Vulnerability, please consult the following Microsoft page:

This worm also tries to propagate via peer-to-peer networks by searching drives C to Z for folders that contain strings that are mostly associated with peer-to-peer aplications.

It deletes several autorun registry entries to prevent the automatic execution of different variants of the following worms:

  • BAGLE
  • NACHI
  • MYDOOM
  • DEADHAT

This worm usually arrives UPX- and FSG-compressed to prevent easy detection. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Note: Trend Micro also detects empty email messages from this worm as WORM_NETSKY.P, and the HTML file containing the exploit as HTML_NETSKY.P. The email and the HTML file may contain a damaged attachment or no attachment at all. At any case, no malware file will be executed.




Original Source: http://feeds.trendmicro.com/~r/MalwareTop10/~3/104911828/default5.asp

Learn more about WORM_NETSKY.P
 
Tags: worm netsky.p

Related Items
      Debian update for kdegraphics

      CVE-2007-6307 (wwwstats)

      Red Hat update for e2fsprogs

      FrSIRT - BEA JRockit Security Update Fixes Multiple Remote Vulnerabilities

      HTML_IFRAME.OM

      CVE-2008-2834 (scientific_image_database)

      Brief: Apple publishes a peck of patches

 
© 2007-2008 BugsAlert.com Original template by Arcsin Hosted By 1and1


Pixel