February 26, 2004 - Trend Micro issued a high risk alert for a new variant of the NETSKY worm, WORM_NETSKY.C, following a number of reports in APAC, EMEA, and the US. This mass-mailing, memory-resident worm propagates through SMTP (Simple Mail Transfer Protocol) mail and drops copies of itself into a victims shared folders.
This malicious code relies on social engineering tricks to ensure its execution. Its' subject and message body are very short. In fact, as more and more companies ban the use of Instant Messaging, employees are using email to communicate in "T-Time". Thus the short email bodies used by this malicious code try to imitate this trend to mislead the users. Once again, this worm spoofs the sender identity. This malicious code also spreads via shared folders as Kazaa by dropping copies of itself with attractive names such as "photoshop 9 crack.exe" and "how to hack.doc.exe".
This malicious code may not cause major damage to an infected computer as does not delete files, format hard drives, etc. However it could affect the performance of computers as the malicious action may take up memory space and therefore slow the machine down. This virus also drops copies of itself into shared folders. So, upon execution of this virus, those users whose hard drive is very low on available free space may have some issues with the computer crashing or freezing.
Interestingly, if the current system date is February 26, 2004 and the time is between 6 and 9 AM, this malware generates beeping sounds.
Like its predecessor, WORM_NETSKY.B (February 18, 2004), WORM_NETSKY.C uses a mass-mailing routine with any number of subject and message lines, lines "Here it is", or "I wait for your comment about it" to entice recipients to open the file attachment, which bears a single or double extension. Once executed, WORM_NETSKY.C drops a copy of itself through various shared folders in Windows, using filenames similar to legitimate programs, like "MS Service Pack 5.exe" or "Adobe Premiere 9.exe"
The worm arrives in an attachment 25.0 KB in size. It affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm may also known be by the following aliases: W32/Netsky.c@MM, I-Worm.Moodown.c, or Worm/NetSky.C.
Trend Micro customers should download pattern file 781. Customers of Outbreak Prevention Services should download OPP 83 to ensure their systems are protected against this latest threat. For customers of Damage Cleanup Services, Damage Cleanup template # 269 is currently available for help with automated restoration of affected systems.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/
For more information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.C
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro.com.
# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. TrendLabs is a service mark of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Trend Micro
Anna Wright
EMEA PR Manager
Tel: +44 (0)1628 400534
E-mail: Anna_Wright@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl