Security Alert: NetSky.S Worm Discovered in the Wild

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Editors Note: A security alert is presented daily to eWEEK.com readers by iDefense Inc., a security research company based in Reston, Va. /zimages/2/72206.gif

Severity: Medium

Analysis: NetSky.S is a new NetSky worm variant that was discovered the afternoon of April 4, 2004. NetSky.S is compressed with both PE-Patch and UPX. NetSky.S is 18,432 bytes and spreads via e-mail.

NetSky.S has the following MD5 value:

5e12dace2155beca61c050ad2deb519a

NetSky.S attempts to create a copy of itself in the Windows directory as eastav.exe. The Windows registry is modified to run the worm upon Windows startup:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun EasyAV=C:WINDOWS DIRECTORYeasyav.exe

NetSky.S also attempts to save the file uinmzertinmds.opm in the Windows directory. NetSky.S executes two of its processes running in memory to help insure that it continues to run if one process is terminated. Further steps are taken by NetSky.S to prevent its file and startup registry key modifications from being deleted.

E-mails sent by NetSky.S have a spoofed From address and an attachment with a .pif extension that is 18,432 bytes in size.

NetSky.S attempts to launch a denial of service (DoS) attack against the following websites if the current date is between April 13-24, 2004:

• www.cracks.am
• www.emule.de
• www.freemule.net
• www.kazaa.com
• www.keygen.us

When executed, NetSky.S also attempts to open port 6789 on the target computer.

Detection: Look for e-mails, the file easyav.exe in the Windows directory and the registry keys modified by the worm.

Recovery: Remove all files associated with this malicious code threat. Restore corrupted or damaged files with clean backup copies.

Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.

Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically. More details and a patch for Internet Explorer vulnerability can be found at MS01-020:.

iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com

/zimages/2/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/2/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif