Marlow, UK - February 19, 2004 - Trend Micro Inc. (TSE: 4704, NASDAQ: TMIC), a leader in network antivirus and Internet content security software and services, today issued a medium risk alert for a new variant of the Netsky Worm, Worm_Netsky.B. Trend Micro has received reports of this mass-mailer, memory resident worm in Japan, Netherlands, Sweden, Germany and U.S. This malware spreads via email using social engineering techniques to mimic instant messaging and brief emails common in communications today.
This malware is a memory resident mass mailer that uses SMTP to propagate and spread copies of itself, arriving as an attachment using a double extension to fool users into thinking the files are safe attachments like documents and text files (such as Word files). Netsky.B uses a combination of several simple one line subjects and messages, such as "something for you", "here's the document", or "read it immediately" that are similar to emails sent by known contacts. In contrast, the first variant, Netsky.A, discovered February 16, 2004, arrived masquerading as a congratulatory email from online auction sites, which people were not as likely to open, which may explain why the B variant has spread much further than the A variant.
"No special system vulnerabilities or exploits were even employed in the email messages, yet users seem to not have learned to simply say 'NO' to clicking on attachments," commented Jamz Yaneza, Senior Antivirus Consultant with TrendLabs(tm), Trend Micro's global antivirus research and support centre.
Upon execution, the said copies are dropped into the victim's shared folders as the file SERVICES.EXE in the Windows folder. Copies of the worm are also dropped in shared drives including default P2P shared file locations. In contrast Netsky.A drops ZIP archived copies of itself in the Windows root folder, something that Netsky.B forgoes in favor of dropping in more common shared folders. Opening any of these dropped files results in a fake error message stating "The file could not be opened!" System registry changes to infected machines make the worm execute at every system startup. Customers may experience a slowdown in email access because of increased email traffic.
The worm arrives in an attachment 22.0 KB in size. This worm is also known under the aliases: W32/Netsky.b@MM, Moodown.B, W32/Netsky-B, and I-Worm.Moodown.B.
Trend Micro customers should download pattern file 769. Customers of Outbreak Prevention Services should download OPP 80 to ensure their systems are protected against this latest threat. Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For more information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B
###
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com.
# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. TrendLabs is a service mark of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Anna Wright
EMEA PR Manager
+44 1628 400 534
anna_wright@trendmicro.co.uk
LVT Benelux PR
Anja Breunis/Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl/annegees@lvtpr.nl