XP Maximized  
Home    |    Fighting Spyware, Viruses, and Malware    |    Speedup XP    |    Themes    |    Music and Video Problems?

WORM_NETSKY.P




This NETSKY worm spreads by sending out copies of itself as email attachment using its built-in SMTP engine. It gathers target target recipients from certain files found on the affected machine, virtually turning the affected system into a propagation launch pad.

Overall Risk Rating - Medium

Reported Infections - Medium
Damage Potential - High
Distribution Potential - High

Malware Type - Worm
Aliases: W32.Netsky.Q@mm, Win32/Netsky.P@mm, Worm/NetSky.P, W32/Netsky.P.worm
In the wild: Yes
Destructive: Yes
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No

The email it sends out has a spoofed sender's name, varying subjects, message bodies and attachments, and generally mimics email delivery notifications. For complete details about the email that this worm sends out, please click here.

To extend its reach and maximize its distribution potential, this worm employs the following:

Social engineering

Like most mass-mailing worm programs, this worm employs social engineering to get through that most critical barrier to propagation, which is getting the target recipient to open the infected email and execute the attachment.

It uses an email message that takes the form of an email delivery notification (which is typical of most NETSKY worms) to trick the user into thinking that the email is from a valid source. Social engineering not only aids the worm in getting the target recipient to open the infected email, it also allows the worm to evade content filters or scanners.

Built-in SMTP engine

This worm also uses its built-in SMTP (Simple Mail Transfer Protocol) engine for easy propagation, allowing the worm to send email without having to rely on other email applications to spread. Most mass-mailing worm programs have built-in SMTP engines to facilitate easy propagation.

Incorrect MIME Header Vulnerability (MS01-020)

This worm also exploits the Incorrect MIME Header vulnerability to propagate. The vulnerability allows the automatic execution of attachments, while an email is viewed or previewed and affects Internet Explorer 5.1 and 5.5.

For a detailed discussion of the Incorrect MIME Header Vulnerability, please consult the following Microsoft page:

Microsoft Security Bulletin MS01-020

This worm also tries to propagate via peer-to-peer networks by searching drives C to Z for folders that contain strings that are mostly associated with peer-to-peer aplications.

It deletes several autorun registry entries to prevent the automatic execution of different variants of the following worms:

BAGLE
NACHI
MYDOOM
DEADHAT

This worm usually arrives UPX- and FSG-compressed to prevent easy detection. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Filed under Antivirus & Security  |   Printer-friendly version


  Related articles in Antivirus & Security

Google

Web XP Maximized

Top Categories

Blogroll

Contact

References

Syndication
Copyright 2010, XPMaximized.com  |  Powered by Movable Type 3.14  |  Contact