Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Virus Advisory: Network Associates(R) McAfee AVERT Places Medium Risk Assessment on New W32/Netsky.b@MM Worm

  • 19 February, 2004 10:38

<p>McAfee AVERT Receives Close to 200 Samples of W32/Netsky.b@MM from Customers around the World</p>
<p>SYDNEY, Feb. 19, 2004 - Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee(R) AVERT(TM) (Anti-Virus Emergency Response Team), the world-class anti-virus research division of Network Associates(R), assigned a Medium risk assessment to the recently discovered W32/Netsky.b@MM, also known as Netsky.b. Netsky.b is a destructive worm that spreads via email, sending itself to addresses found on the victim's machine. The worm was first seen by McAfee AVERT researchers earlier today. To date, McAfee AVERT is receiving 40-50 samples an hour from both real customer submissions and virus-generated mail. In total, McAfee AVERT has seen close to 200 samples from customers around the world, with a large proportion of them coming from the Netherlands.</p>
<p>Symptoms</p>
<p>Netsky.b is an Internet worm that once activated, emails itself to addresses found on the victim's machine. The worm copies itself to folders on drives 'C:-Z:' including the words 'shared' or 'sharing,' presumably to achieve P2P propagation. The attachment may have a double-extension such as .rtf.pif and may be contained in a .ZIP file. Users should immediately delete any email with the following:</p>
<p>Message body (composed from the following strings):</p>
<p>-- I have your password!</p>
<p>-- about me</p>
<p>-- anything ok?</p>
<p>-- do you?</p>
<p>-- from the chatter</p>
<p>-- greetings</p>
<p>-- hello</p>
<p>-- here</p>
<p>-- here is the document.</p>
<p>-- here it is</p>
<p>-- here, the cheats</p>
<p>-- here, the introduction</p>
<p>-- here, the serials</p>
<p>-- hi</p>
<p>-- i found this document about you</p>
<p>-- i hope it is not true!</p>
<p>-- i wait for a reply!</p>
<p>-- i'm waiting</p>
<p>-- information about you</p>
<p>-- is that from you?</p>
<p>-- is that true?</p>
<p>-- is that your account?</p>
<p>-- is that your name?</p>
<p>-- kill the writer of this document!</p>
<p>-- my hero</p>
<p>-- ok</p>
<p>-- read it immediately!</p>
<p>-- read the details.</p>
<p>-- reply</p>
<p>-- see you</p>
<p>-- something about you!</p>
<p>-- something is fool</p>
<p>-- something is going wrong</p>
<p>-- something is going wrong!</p>
<p>-- stuff about you?</p>
<p>-- take it easy</p>
<p>-- that is bad</p>
<p>-- that's funny</p>
<p>-- thats wrong why?</p>
<p>-- what does it mean?</p>
<p>-- yes, really?</p>
<p>-- you are a bad writer</p>
<p>-- you are bad</p>
<p>-- you earn money</p>
<p>-- you feel the same</p>
<p>-- you try to steal</p>
<p>-- your name is wrong</p>
<p>Pathology</p>
<p>After being executed, Netsky.b emails itself out as an attachment with a randomly chosen filename. The worm then copies itself into %windir% with the filename SERVICES.EXE. The worm adds the key, 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "service" =C:\WINNT\services.exe -serv', to the registry, which helps it activate at the system start-up. McAfee AVERT researchers believe the worm may attempt to clean up the MyDoom backdoor by deleting the registry keys that load it at the system start-up.</p>
<p>Cure</p>
<p>Immediate information and cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101034.htm. Users of McAfee Security anti-virus products should update their systems from that page and use the 4325 or later scanning engine to stop potential damage.</p>
<p>Network Associates McAfee(R) Protection-in-Depth(TM) Strategy delivers the industry's only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers.</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners.</p>
<p>##ENDS##</p>
<p>For further information or comment, please contact Allan Bell directly on the details below:</p>
<p>Allan Bell - Marketing Director,
Network Associates,
0412 411 929 or
02 9761 4229</p>

Most Popular