Date: 23 March 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2004.09 -- AUSCERT ALERT
W32/Netsky.P@mm spreading with new attack methods
23 March 2004
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Denial of Service
Access Privileged Data
Reduced Security
Access Required: Remote
PROBLEM:
AusCERT has received reports from European CERTs and antivirus
vendors that a new variant of the mass-mailing worm "Netsky" is
spreading. The indications are that the rate of infections being
reported to antivirus suppliers is increasing. Patches are
available from antivirus software vendors who are assessing the
current threat as MEDIUM.
W32/Netsky.P@mm spreads itself inside a dropper, that extracts the
main worm's file to a hard drive when it is run. This variant is
functionally similar to the previous variants, however it has some
new features. The worm can spread in e-mail, local and peer-to-peer
networks and to ftp and http server folders[1].
PLATFORM:
W32/Netsky.P@mm affect Windows platforms.
IMPACT:
The worms could cause disruption to regular traffic on Australian
email servers as well as allowing remote access to third parties
via backdoors installed as part of the infection routines. Refer
to REFERENCES below for specific details of this variant.
MITIGATION:
AusCERT advises members to disseminate and take action on this
information to prevent any undesirable activity by this virus
within their sites. When possible, upgrade all anti-virus software
to use the latest definition files as soon as they become
available.
Users should remain aware of the danger of opening unsolicited
email attachments and review the advice in the article "Protecting
your computer from malicious code"[3].
For details on previous Netsky variants see REFERENCES at [4] below.
REFERENCES:
[1] F-Secure Virus Descriptions : NetSky.P
http://www.f-secure.com/v-descs/netsky_p.shtml
[2] Netsky.P
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38650
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101119
http://www.f-secure.com/v-descs/netsky_p.shtml
http://www.sophos.com/virusinfo/analyses/w32netskyp.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.p@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P
http://vil.nai.com/vil/content/v_101119.htm
[3] Protecting your computer from malicious code
http://www.auscert.org.au/3352
[4] AL-2004.06 -- Variants of mass-mailing worms Netsky and Bagle
spreading rapidly
http://www.auscert.org.au/3908
AL-2004.05 -- Malicious Software Report - W32/Netsky.b
http://www.auscert.org.au/3860
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQF92hyh9+71yA2DNAQK8CgQAibMLE4KZ9hq0dOF77OsPHTJz/3mbOu8f
btzVeB+rWUE9pwmIB4q9Jckvqk73VM5IRHTrozPdp0mhRKQYMuiyagZq7/xF42Wa
bm+lU7Ck+a4WPtazpbUdocTYQlff23o32iHqOqZgjM8iSwkWcvfOu9NrjoVefYaF
RUo7eyAz0cs=
=HKd7
-----END PGP SIGNATURE-----
|