The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>W32/Netsky.B Virus</h2> Release Date: February 18, 2004<br/> Last Updated: -- <p> <h3>Overview</h3> <p>The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Netsky.B. <h3>Description</h3> <p>The W32/Netsky.B virus propagates either as an attachment to an email message or by automatically copying itself to Windows network shares. Upon successful execution, the virus attempts to <ul> <li>modify various Windows registry values so that the virus is run again upon reboot. <li>install a copy of itself in the <font face="courier">%Windir%\services.exe</font>, where <font face="courier">%Windir%</font> is a variable pointing to the root of the Windows directory on the host. <li>collect target email addresses from files with specific extensions on the local system. <li>copy itself to particularly-named files within non-CDROM local drives or mapped network shares. <li>remove registry keys that were added as a likely result of successful compromise via other recent malicious code, including <a href="http://www.cert.org/incident_notes/IN-2004-01.html">W32/Novarg.A</a> and <a href="http://www.us-cert.gov/cas/techalerts/TA04-028A.html">W32/MyDoom.B</a>. </li></li></li></li></li></ul> <p> When spreading via email, the virus arrives as an email message with a 22,016-byte attachment that has a filename selected randomly from a fixed list and a double-extension of one of the following combinations: <ul> <li><font face="courier">.txt</font> <li><font face="courier">.rtf</font> <li><font face="courier">.doc</font> <li><font face="courier">.htm</font> </li></li></li></li></ul> and <ul> <li><font face="courier">.com</font> <li><font face="courier">.pif</font> <li><font face="courier">.scr</font> <li><font face="courier">.exe</font> </li></li></li></li></ul> The attachment may also arrive as a ZIP (<font face="courier">.zip</font>) archive. </p> <p> Some messages containing the virus have had the following characteristics: <blockquote> <font face="courier" size="2"> <strong>Subject:</strong> (one of the following) <ul><li><font face="courier">stolen</font> <li><font face="courier">fake</font> <li><font face="courier">unknown</font> <li><font face="courier">something for you</font> <li><font face="courier">read it immediately</font> <li><font face="courier">warning</font> <li><font face="courier">information</font> </li></li></li></li></li></li></li></ul> <strong>From:</strong> <spoofed><br/> <strong>To:</strong> <email address><br/><br/> <strong>Body:</strong> <br/> (The body has been reported to contain a short message selected randomly from a fixed list.)<br/></font> </blockquote> </p> <p>When spreading via the filesystem, the virus searches non-CDROM drives C: through Z:, including mapped network shares, for any folders containing "Share" or "Sharing" in their name. The virus then copies itself into these folders as a filename selected randomly from a fixed list and containing a double-extension. <p>As with other malicious code having mass-mailing capabilities, W32/Netsky.B may cause "collateral" denial-of-service conditions in networks where either (a) multiple systems are infected, or (b) large volumes of infected mail are received. <p>The CERT/CC is continuing to analyze the malicious code and we will update this Incident Note as more information is confirmed. <p>Anti-virus vendors have developed signatures for and information about W32/Netsky.B: <dl> <dd><a href="http://www.sarc.com/avcenter/venc/data/w32.netsky.b@mm.html">http://www.sarc.com/avcenter/venc/data/w32.netsky.b@mm.html</a></dd> <dd><a href="http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B">http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B</a></dd> <dd><a href="http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034">http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101034</a></dd> <dd><a href="http://www.f-secure.com/v-descs/netsky_b.shtml">http://www.f-secure.com/v-descs/netsky_b.shtml</a></dd> <dd><a href="http://www.sophos.com/virusinfo/analyses/w32netskyb.html">http://www.sophos.com/virusinfo/analyses/w32netskyb.html</a></dd> <dd><a href="http://www3.ca.com/virusinfo/virus.aspx?ID=38332">http://www3.ca.com/virusinfo/virus.aspx?ID=38332</a></dd> </dl></p> <h3>Solutions</h3> <p>In addition to following the steps outlined in this section, the CERT/CC encourages home users to review the "<a href="http://www.cert.org/tech_tips/home_networks.html">Home Network Security</a>" and "<a href="http://www.cert.org/homeusers/HomeComputerSecurity/">Home Computer Security</a>" documents. <h4>Run and maintain an anti-virus product</h4> <p>While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Users may wish to read <a href="http://www.cert.org/incident_n otes/IN-2003-01.html">IN-2003-01</a> for more information on anti-virus software and security issues.</p> <p>Most antivirus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code, including W32/Netsky.B. Therefore, it is important that users keep their antivirus software up to date. The CERT/CC maintains a <a href="http://www.cert.org/other_sources/viruses.html">partial list</a> of antivirus vendors.</p> <p>Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.</p> <h4>Do not run programs of unknown origin</h4> <p>Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Email users should be wary of unexpected attachments, while users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly wary of following links or running software sent to them by other users since these are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents.</p> <h4>Recovering from a system compromise</h4> <p>If you believe a system under your administrative control has been compromised, please follow the steps outlined in</p> <dl><dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps for Recovering from a UNIX or NT System Compromise</a></dd></dl> <h4>Reporting</h4> <p>The CERT/CC is tracking activity related to this virus as CERT#23032. Relevant artifacts or activity can be sent to cert@cert.org with the appropriate CERT# in the subject line. <p> <hr noshade=""/> <b>Authors</b>:Chad Dougherty<br/> <!--#include virtual="/include/footer_nocopyright.html" --> <p>Copyright 2004 Carnegie Mellon University.</p> <p>Revision History<br/> <small> February 18, 2004: Initial Release<br/> February 18. 2004: Clarify information about filesystem propagation<br/> </small></p></p></p></p></p></p></p></p></p></p> |