March 29, 2004 - Trend Micro issued a "medium risk" alert for WORM_NETSKY.Q to raise awareness among users; this worm has been sighted in Asia Pacific, mostly in Japan. This version of the mass-mailing worm, which exploits an Internet Explorer vulnerability allowing it to launch while being read or previewed, includes a message from the virus authors embedded within its code.
Calling themselves the "SkyNet Antivirus Team" hailing from Russia, the virus authors claim they are educating users, and want to prevent hacking, cracking, and sharing of illegal content. "We don't have any criminal inspirations," states the hidden message. The virus authors also detail that they do not include backdoors for spam relaying, they are not children, and that they program in C++ (a high level programming language). The message closes with: "Users do not need a new av-update, they need a better education!" "SkyNet" is in reference to the ominous, self-aware computer system that launches an apocalyptic war against mankind from the popular "Terminator" films.
"Although they claim to not be criminals, what the NETSKY creators don't realize is that their actions do have costs to businesses and organizations that have to fight infections or shut down services," commented Joe Hartmann, antivirus expert for Trend Micro, Inc. "There are no 'good' viruses, and releasing malicious code for 'education' is clearly not ethical either."
This variant of NETSKY arrives bearing a header and message body stating a "mail delivery error", and has a ZIP or PIF file attachment that varies in size. Once executed, WORM_NETSKY.Q drops one of several files into a the Windows folder, including a copy of itself as FIREWALLLOGGER.TXT . A registry entry causes the memory-resident worm to automatically execute at each subsequent system startup. NETSKY.Q, like previous variants, avoids sending itself to many security firms and organizations.
WORM_NETSKY.Q affects Windows 95, 98, ME, NT, 2000 and XP platforms. This worm may also known be by the following alias: W32/Netsky.q@MM.
Trend Micro customers are protected through the latest pattern file, number 842. Customers of Outbreak Prevention Services should download OPP 102 to help protect against spread of this threat. For customers of Damage Cleanup Services, Damage Cleanup template # 301 should be downloaded to help with automated restoration of affected systems.
Other users should use Trend Micro's free online virus scanner, Housecall, which can be found at http://housecall.trendmicro.com/ For more information, please visit http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.Q
# # #
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com.
# # #
Trend Micro and the t-ball logo are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.
For more information please contact:
Trend Micro
Anna Wright
EMEA PR Manager
Tel: +44 (0)1628 400534
E-mail: Anna_Wright@trendmicro.co.uk
Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl