Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

VIRUS ADVISORY: McAfee AVERT Places risk assessment at medium on new W32/NETSKY.D@MM worm

  • 02 March, 2004 09:18

<p>For further information or comment, please contact Allan Bell directly on the details below:</p>
<p>Allan Bell - Marketing Director, Network Associates 0412 411 929 or 02 9761 4229.</p>
<p>McAfee AVERT Receives Unprecedented Submissions of Virus Variants, led today by W32/Netsky.d@MM, from Customers around the World</p>
<p>SYDNEY, March 2, 2004 — Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-Virus and Vulnerability Emergency Response Team), the world-class anti-virus and vulnerability research division of Network Associates, raised the risk assessment to medium on the recently discovered W32/Netsky.d@MM, also known as Netsky.d. Netsky.d is a prolific worm that spreads via email, sending itself to addresses found on the victim’s machine. The worm has many of the same functionalities as its Netsky predecessors, two of which are also currently rated a medium risk threat. McAfee AVERT researchers first saw the worm earlier today and to date, have received approximately 200 samples of Netsky.d from both real customer submissions and virus-generated mail from customers around the world.</p>
<p>Most of the Netsky.d samples that McAfee AVERT has seen are from the virus itself, which is spoofing the addresses, and not from the infected customers. This is the case with most viruses at this point, the three most prevalent families being Mydoom, Bagle, and Netsky.</p>
<p>Symptoms</p>
<p>Netsky.d is an Internet worm that once activated emails itself to addresses found on the victim’s machine. The worm then attempts to copy itself to folders on drives C: through Z: and attempts to deactivate the W32/Mydoom.a@MM and W32/Mydoom.b@MM viruses. The worm causes unexpected network traffic and an audio payload, similar to the W32/Netsky.c@MM variant, and causes the machine to make random beeping sounds with varying pitches and rhythm upon a specific date and time.
Users should immediately delete any email containing the following:</p>
<p>From: (forged address taken from infected system)</p>
<p>Subject: Taken from the following list:</p>
<p>Re: Hello</p>
<p>Re: Hi</p>
<p>Re: Thanks!</p>
<p>Re: Document</p>
<p>Re: Message</p>
<p>Re: Here</p>
<p>Re: Details</p>
<p>Re: Your details</p>
<p>Re: Approved</p>
<p>Re: Your document</p>
<p>Re: Your text</p>
<p>Re: Excel file</p>
<p>Re: Word file</p>
<p>Re: My details</p>
<p>Re: Your music</p>
<p>Re: Your bill</p>
<p>Re: Your letter</p>
<p>Re: Document</p>
<p>Re: Your website</p>
<p>Re: Your product</p>
<p>Re: Your document</p>
<p>Re: Your software</p>
<p>Re: Your archive</p>
<p>Re: Your picture</p>
<p>Re: Here is the document</p>
<p>Body: Taken from the following list:</p>
<p>Here is the file.</p>
<p>Your file is attached.</p>
<p>Your document is attached.</p>
<p>Please read the attached file.</p>
<p>Please have a look at the attached file.</p>
<p>See the attached file for details.</p>
<p>Pathology</p>
<p>After being executed, Netsky.d emails itself out as a .PIF attachment with a filename taken from strings within the worm. It queries the DNS server for the MX record and connects directly to the Mail Transfer Agent (MTA) of the targeted domain and sends the message. The worm then copies itself the WINDOWS directory with the filename ‘WINLOGON.EXE’. The worm adds the key,
‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"ICQ Net" = %WinDir%\WINLOGON.EXE -stealth,’ to the registry, which helps it activate at the system start-up.</p>
<p>Cure</p>
<p>Immediate information and the cure for this virus can be found online at the Network Associates McAfee AVERT site located at http://vil.nai.com/vil/content/v_101064.htm. Users of McAfee Security products should update their systems from that page. Generic protection, which also protects users against the W32/Netsky.c@MM variant, has been available with the 4328 or later scanning engine to stop potential damage.</p>
<p>Network Associates McAfee Protection-in-Depth Strategy delivers the industry’s only complete set of system and network protection solutions differentiated by intrusion prevention technology that can detect and block these types of attacks. This allows customers to protect themselves while they plan their patch deployment strategy.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus research organizations in the world, employing more than 90 researchers in offices on five continents. McAfee AVERT protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the Internet at http://www.networkassociates.com/.</p>
<p>##ENDS##</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. *2004 Networks Associates Technology, Inc. All Rights Reserved</p>

Most Popular

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Join the newsletter!

Error: Please check your email address.

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?