Netsky-V worm can infect computers without e-mail attachment

Security, malware, viri--you've got to keep your eyes open
Post Reply
bob
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 7565
Joined: 12/03/01, 12:00 am
Location: St. Louis
Contact:

Post by bob » 04/29/04, 2:56 pm

Netsky-V worm can infect computers without e-mail attachment being clicked
No need to double-click to be infected by Netsky-V
04-15-2004 10:25:12 AM CST -- from the folks at Sophos


No need to double-click to be infected by Netsky-V the new Netsky-V worm (W32/Netsky-V) spreads without using email attachments to infect. Other widespread versions of the Netsky worm have infected users by tempting them to double-click on an email attachment, but Netsky-V exploits security loopholes in Microsoft's software that mean users can be hit just by reading an email. Emails containing the exploit, which can use subject lines such as 'Converting message. Please wait...' and 'Please wait while loading failed message...', attempt to download a copy of the worm from another user's computer. "Home users are especially vulnerable to this kind of attack as their computers are often not properly protected with a personal firewall or the latest anti-virus updates," said Graham Cluley, senior technology consultant for Sophos. "Personal computer users should consider checking out Microsoft's security update website, which can scan home PCs for security vulnerabilities and suggest which critical patches need to be installed."


http://www.snpx.com/cgi-bin/securitynew ... anEE&id=10
WYSIWTF

SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Post by SOD » 04/29/04, 4:46 pm

And thats why I use AVG Anti virus the email plugin will detect such viruses. New update tonight Bob.

_________________
Discovery is never boring, short term thought is.

<font class=editedby>[ This Message was edited by: SOD on 2004-04-30 00:48 ]</font>

RedRage
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 1542
Joined: 12/04/01, 12:00 am

Post by RedRage » 04/30/04, 12:06 am

This is why virus filtering on at the server level is a nice thing ( when done correctly )

SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Post by SOD » 04/30/04, 4:39 am

Please tell that to charter

SloppyGoat
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 1778
Joined: 12/30/02, 12:00 am
Contact:

Post by SloppyGoat » 04/30/04, 7:05 am

Is this only when using the preview pane? I don't use it. Is it executed by html? How does it do it? I knew the day would come when it was no longer required to open the attachment to get infected. :o

Ah, NM, I found it. Looks like you're ok, if you have the patch.

<!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font class=postbody>Quote:</font><HR width=100% color=#333333 SIZE=1></TD></TR><TR><TD><FONT class=quote><BLOCKQUOTE>Netsky.V does not send itself as an attachment but uses HTML emails which exploit vulnerability known as Microsoft Internet Explorer XML Page Object Type Validation Vulnerability (MS03-040) and tries to download and execute itself from an infected host.

The binary code bears high resemblance to the latest NetSky variant, NetSky.U. Sharing up to approximately 86% of the code.</BLOCKQUOTE></FONT></TD></TR><TR><TD><HR width=100% color=#333333 SIZE=1></TD></TR></TABLE><!-- BBCode Quote End -->

It's an old vulnerability. The patch was released October 2003.

http://www.microsoft.com/technet/securi ... 3-040.mspx

_________________
<!-- BBCode u2 Start --><A class="postbody" HREF="http://tga.dynu.com" TARGET="_blank">The Grey Area - Tweaking Obsession</A><!-- BBCode u2 End -->

<font class=editedby>[ This Message was edited by: SloppyGoat on 2004-04-30 15:11 ]</font>

RedRage
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 1542
Joined: 12/04/01, 12:00 am

Post by RedRage » 05/03/04, 12:16 am

Or you can just use a different mail program. :) I use an old version of Eudora Pro.

RedRage
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 1542
Joined: 12/04/01, 12:00 am

Post by RedRage » 05/03/04, 8:49 am

<!-- BBCode Quote Start --><TABLE BORDER=0 ALIGN=CENTER WIDTH=85%><TR><TD><font class=postbody>Quote:</font><HR width=100% color=#333333 SIZE=1></TD></TR><TR><TD><FONT class=quote><BLOCKQUOTE>
On 2004-04-30 12:39, SOD wrote:
Please tell that to charter
</BLOCKQUOTE></FONT></TD></TR><TR><TD><HR width=100% color=#333333 SIZE=1></TD></TR></TABLE><!-- BBCode Quote End -->

Many ISPs don't like to do any filtering at all just to besure that valid mail gets through. Filtering has a trade off on false positives.

SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Post by SOD » 05/03/04, 10:25 am

Yeah but I even get others mail. Then there is all this random netsend spam.

AndrewB
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 2385
Joined: 12/09/01, 12:00 am
Location: USA
Contact:

Post by AndrewB » 05/03/04, 1:16 pm

Mozilla Messanger on Linux is a beautiful thing... :) n00bz
Keep Your Assets & ID Private! Can you afford not to?

SOD
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 5284
Joined: 12/06/01, 12:00 am
Location: here and there

Post by SOD » 05/03/04, 4:12 pm

Linux is a beautful thing. SuSE eval boot disk is what we have been using....Before we switch for internet use have to learn PY and libxml2. I hear it flys. I am tired of "pick your favorite port" in Windows.

RedRage
BIG GIANT HEAD I Get Free Beer
BIG GIANT HEAD I Get Free Beer
Posts: 1542
Joined: 12/04/01, 12:00 am

Post by RedRage » 05/04/04, 5:04 am

when i get time i'm going to try Gentoo

craeonics
Member ****
Posts: 36
Joined: 01/12/04, 12:00 am
Location: Cleft of Dimensions
Contact:

Post by craeonics » 05/12/04, 6:34 am

Two easy steps to prevent a lot of anguish:

1. Disable html-emails. People who send html-emails need to be shot.

2. Don't use Outlook. Even without numbers to back it up, I dare say that it is the prime source of infections.

Post Reply