|
Tuesday, 19 July 2005 |
Malware type: Worm
Aliases: W32.Netsky.P@mm, W32/Mydoom.BK@mm, W32/Netsky, W32/Netsky-P, Win32.Netsky.P!unpacked, Win32/Netsky.P!Worm, Win32/Netsky.P@mm
In the wild: Yes
Destructive: Yes
Language: English
Platform: Windows 95, 98, ME, NT, 2000, XP
Encrypted: No
Overall risk rating: Medium
Reported infections: Medium
Damage potential: High
Distribution potential: High
Description:
This NETSKY worm spreads by sending out copies of itself as email attachment using its built-in SMTP engine. It gathers target recipients from certain files found on the affected machine, virtually turning the affected system into a propagation launch pad.
The email it sends out has a spoofed senders name, varying subjects, message bodies and attachments, and generally mimics email delivery notifications. For complete details about the email that this worm sends out, please click here.
To extend its reach and maximize its distribution potential, this worm employs the following:
* Social engineering
Like most mass-mailing worm programs, this worm employs social engineering to get through that most critical barrier to propagation, which is getting the target recipient to open the infected email and execute the attachment.
It uses an email message that takes the form of an email delivery notification (which is typical of most NETSKY worms) to trick the user into thinking that the email is from a valid source. Social engineering not only aids the worm in getting the target recipient to open the infected email, it also allows the worm to evade content filters or scanners.
For complete details about the email that this worm sends out, please click here.
* Built-in SMTP engine
This worm also uses its built-in SMTP (Simple Mail Transfer Protocol) engine for easy propagation, allowing the worm to send email without having to rely on other email applications to spread. Most mass-mailing worm programs have built-in SMTP engines to facilitate easy propagation.
* Incorrect MIME Header Vulnerability (MS01-020)
This worm also exploits the Incorrect MIME Header vulnerability to propagate. The vulnerability allows the automatic execution of attachments, while an email is viewed or previewed and affects Internet Explorer 5.1 and 5.5.
For a detailed discussion of the Incorrect MIME Header Vulnerability, please consult the following Microsoft page:
Microsoft Security Bulletin MS01-020
This worm also tries to propagate via peer-to-peer networks by searching drives C to Z for folders that contain strings that are mostly associated with peer-to-peer aplications.
It deletes several autorun registry entries to prevent the automatic execution of different variants of the following worms:
* BAGLE
* NACHI
* MYDOOM
* DEADHAT
This worm usually arrives UPX- and FSG-compressed to prevent easy detection. It runs on Windows 95, 98, ME, NT, 2000, and XP.
Note: Trend Micro also detects empty email messages from this worm as WORM_NETSKY.P, and the HTML file containing the exploit as HTML_NETSKY.P. The email and the HTML file may contain a damaged attachment or no attachment at all. At any case, no malware file will be executed.
For additional information about this threat, see:
Solution
|
