We have reports of a new worm called Netsky.B (also known as Moodown.b) which is in the wild, i.e., reported to be infecting a good number of computers. This worm arrives as an email attachment and requires users to run the executable. The worm also spreads through file-sharing (peer-to-peer) networks by copying itself to locations on the hard drive which might be shared by KaZaa and other such applications.
Subject line:
Randomly chosen from the following list:
fake
for
hello
hi
immediately
information
it
read
something
stolen
unknown
warning
you
Message body:
Randomly chosen from the following list:
anything ok?
what does it mean?
ok
i'm waiting
read the details.
here is the document.
read it immediately!
my hero
here
is that true?
is that your name?
is that your account?
i wait for a reply!
is that from you?
you are a bad writer
I have your password!
something about you!
kill the writer of this document!
i hope it is not true!
your name is wrong
i found this document about you
yes, really?
that is bad
here it is
see you
greetings
stuff about you?
something is going wrong!
information about you
about me
from the chatter
here, the serials
here, the introduction
here, the cheats
that's funny
do you?
reply
take it easy
why?
thats wrong
misc
you earn money
you feel the same
you try to steal
you are bad
something is going wrong
something is fool
Attachment filename:
Randomly chosen from the following list:
aboutyou
attachment
bill
concert
creditcard
details
dinner
disco
doc
document
final
found
friend
jokes
location
mail2
mails
me
message
misc
msg
nomoney
note
object
part2
party
posting
product
ps
ranking
release
shower
story
stuff
swimmingpool
talk
textfile
topseller
website
The filename may be followed by ".doc", ".html", ".rtf" or ".text". The file extension is either .com, .exe, .scr or .pif.
Example of an attachment filename: attachment.doc.exe
At times, this file is compressed within a ZIP file and it can also have a double file extension. In some cases, the attached ZIP file is either corrupt or empty and therefore does not contain the worm; in such instances, the ZIP file might reach the user's email client even if one is well-protected against this virus, simply because it does not contain the worm.
Attachment size:
Variable
If the user runs the executable (which might be inside a ZIP file), the worm sends infected emails to addresses found in a list of files on the computer. Netsky.B also uses its own SMTP routines for propagation therefore bypassing normal Outlook security.
Netsky.B copies itself to directories which are named shares or sharing on the local system or on mapped network drives in an attempt to spread via peer-to-peer file-sharing networks such as KaZaa and Imesh. It also tries to deactivate Mydoom.a and Mydoom.b and Mimail.t.
Avoidance Action:
Make sure your virus definition files are up-to-date. Block all incoming and outgoing .exe, .pif, .com and .scr files.
Note on the importance of a Trojan and Executable Scanner: Because anti-virus software is signature-based, it can only detect known viruses and Trojans, and is therefore unable to detect viruses such as the Netsky.B as soon as they are released. GFI MailSecurity's Trojan and Executable Scanner takes a different approach; rather than relying on signatures, it uses built-in intelligence to rate an executable’s risk level. It does this by disassembling the executable, detecting in real time what it might do, and comparing its actions to a database of malicious actions. This way, GFI MailSecurity can detect unknown viruses and Trojans before they enter the network - and before anti-virus engine vendors have issued signatures against them.
How does the GFI Trojan and Executable scanner catch this new worm?
The Trojan and Executable scanner feature within GFI MailSecurity for Exchange/SMTP is able to catch Netsky.B since it infringes the engine's "CheckUPX" rule. This means that the worm is compressed using a UPX packer and indicates that such an executable might be actually malicious.
For more updated information: http://www.gfi.com/security
References:
http://www.norman.com/virus_info/netsky_b_mm.shtml
http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=194
http://vil.nai.com/vil/content/v_101034.htm
http://www.viruslist.com/eng/alert.html?id=989639
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. GFI has offices in the US, Malta, UK, Hong Kong and Australia which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
All product and company names herein may be trademarks of their respective owners.
| 
Products
