Virusalert: Medium risk alert issued for worm_netsky.p

The worm appears to be the next in the now well- known 'virus' war between the creators of 'Netsky' and 'Bagle'. As with the latest variant of Bagle (Q), NETSKY.P, exploits an Internet Explorer vulnerability. It makes use of celebrity names like 'Britney Spears' and 'Eminem' in the files it drops, its message body also contains statements seeming to originate from certain antivirus vendors declaring that 'no virus' has been found.

Propagation:
This malware propagates using various techniques - via email using its own Simple Mail Transfer Protocol (SMTP) engine, by exploiting a known Internet Explorer vulnerability, via network shares - and with the use of social engineering:

* The email that it sends out has varying subjects, message bodies, and attachment file names. It gathers email addresses from files with certain extension names.

* It also has the ability to propagate via network shares by dropping copies of itself to shared folders of the affected system.

* It is the first of the Netsky variants to exploit a known vulnerability in the Internet Explorer involving the incorrect MIME header vulnerability (MS01-020) to execute the malware when the email is read. More information on this vulnerability is available at: www.microsoft.com/technet/security/bulletin/MS01-020.mspx . The recent Bagle.Q variant which made headlines last week also used a similar technique

Payload:
It also has a payload of deleting specific registry keys, if they exist.

This memory-resident worm is compressed using UPX, and runs on 95, 98, ME, NT, 2000 and XP.

Once WORM_NETSKY.P has infected a PC ...
...it creates certain registry entries so that it executes at every Windows startup, by creating further registry keys, it registers itself as a service.

How to recognise WORM_NETSKY.P:

This worm propagates via email using its own SMTP engine. The email message it sends out comes from a spoofed address. The subject line varies, but includes a number of seeming harmless examples, such as 'Protected Mail Request', 'Mail Authentication.  Its message body also contains details seemingly originating from antivirus vendors stating that no virus has been found - several factors which could lead the unsuspicious computer user to believe that it is safe to open the email. 

David Kopp, Head of TrendLabs Europe says, "The virus writers are now increasing the complexity of their creations - possibly an effect of this ongoing 'war', in an attempt to outdo their opponent. We are now seeing the inclusion of payloads and social engineering to a far greater degree. Computer users should remain extremely vigilant as this particularly unsettled time."

Trend Micro customers are protected from NETSKY.P, through the latest pattern file, number 832.

Customers of Outbreak Prevention Services should download OPP 99 to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 296 is available.

Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/ For more information, please visit: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.P
 
# # #

About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com.

# # #

Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.

For more information please contact:

Trend Micro      
Anna Wright     
EMEA PR Manager
Tel: +44 (0)1628 400534    
E-mail: Anna_Wright@trendmicro.co.uk  

Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl