[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[pct-l] email worm

Subject: [pct-l] email worm
From: tangent at meinfelder.com (Tangent)
Date: Wed Mar 3 09:36:29 2004

Today I just downloaded two copies of an email worm known as W32.Netsky@mm. 
Worms are like viruses, only more insidious since they try to propagate 
themselves. Since the emails were addressed to "Tangent," an email I only 
use on this list, it is likely someone on this list has an infected computer.

The details of the virus are at: 
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html

This worm will:
    * If it is between 6:00am and 9:00am on a Tuesday, March 2, 2004, the 
PC speaker will beep in a continuous loop. Each beep will be for a random 
period of time, at a random frequency.
    * Scans drives C through Z for email addresses
    * Uses its own SMTP engine to send itself to the email addresses it 
found above, sending to each address once. The worm uses the local DNS 
server (retrieved via an API), if available, to perform an MX lookup for 
the recipient address. If the local DNS fails, it will perform the lookup 
from the following list of hard-coded servers.
    * The email has the following characteristics:
    * From: <spoofed>
    * Subject: (One of the following)
        * Re: Your website
        * Re: Your product
        * Re: Your letter
        * Re: Your archive
        * Re: Your text
        * Re: Your bill
        * Re: Your details
        * Re: My details
        * Re: Word file
        * Re: Excel file
        * Re: Details
        * Re: Approved
        * Re: Your software
        * Re: Your music
        * Re: Here
        * Re: Re: Re: Your document
        * Re: Hello
        * Re: Hi
        * Re: Re: Message
        * Re: Your picture
        * Re: Here is the document
        * Re: Your document
        * Re: Thanks!
        * Re: Re: Thanks!
        * Re: Re: Document
        * Re: Document
        * Body: (One of the following)
        * Your file is attached.
        * Please read the attached file.
        * Please have a look at the attached file.
        * See the attached file for details.
        * Here is the file.
        * Your document is attached.
The attachment is a PIF file which you are supposed to click to activate 
the virus on your PC.

To narrow the list of victims, the infected computer is likely a PC running 
Windows. The few Linux and Mac users may now be proud.

I just updated my virus definition list last Friday and this worm was not 
detected until after I spotted the suspicious emails and updated my virus 
definition list. It's not enough to simply have virus software, you have to 
keep it up to date daily. And it's definitely not enough to simply only 
visit responsible web sites and avoid high-volume email lists, having virus 
software is not only necessary but polite to your fellow users.

Symantec provides a tool to remove the virus available at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky@mm.removal.tool.html

If anyone has questions or needs help with this, let me know.

Tangent

Prev by Date: [pct-l] Snowshoe Fun!
Next by Date: [pct-l] Snowshoe Fun!
Previous by thread: [pct-l] Pacific NW to the ADZPCTKO
Next by thread: [pct-l] email worm
Index(es):
- Date
- Thread