Security Alert: NetSky.S Worm Discovered in the Wild | eWeek

Security Alert: NetSky.S Worm Discovered in the Wild

Écrit par
eWEEK EDITORS
eWEEK EDITORS
Apr 5, 2004
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Editors Note: A security alert is presented daily to eWEEK.com readers by iDefense Inc., a security research company based in Reston, Va./zimages/2/72206.gif

Severity: Medium

Analysis: NetSky.S is a new NetSky worm variant that was discovered the afternoon of April 4, 2004. NetSky.S is compressed with both PE-Patch and UPX. NetSky.S is 18,432 bytes and spreads via e-mail.

NetSky.S has the following MD5 value:

5e12dace2155beca61c050ad2deb519a

NetSky.S attempts to create a copy of itself in the Windows directory as eastav.exe. The Windows registry is modified to run the worm upon Windows startup:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun EasyAV=C:WINDOWS DIRECTORYeasyav.exe

NetSky.S also attempts to save the file uinmzertinmds.opm in the Windows directory. NetSky.S executes two of its processes running in memory to help insure that it continues to run if one process is terminated. Further steps are taken by NetSky.S to prevent its file and startup registry key modifications from being deleted.

E-mails sent by NetSky.S have a spoofed From address and an attachment with a .pif extension that is 18,432 bytes in size.

NetSky.S attempts to launch a denial of service (DoS) attack against the following websites if the current date is between April 13-24, 2004:

  • www.cracks.am
  • www.emule.de
  • www.freemule.net
  • www.kazaa.com
  • www.keygen.us

When executed, NetSky.S also attempts to open port 6789 on the target computer.

Detection: Look for e-mails, the file easyav.exe in the Windows directory and the registry keys modified by the worm.

Recovery: Remove all files associated with this malicious code threat. Restore corrupted or damaged files with clean backup copies.

Workaround: Configure e-mail servers and workstations to block file types commonly used by malicious code to spread to other computers. Carefully manage all new files, scanning them with updated anti-virus software using heuristics prior to use.

Vendor Fix: Anti-virus vendors will likely release updated signature files to protect against this malicious code in the near future. Some anti-virus applications may detect this malicious code heuristically. More details and a patch for Internet Explorer vulnerability can be found at MS01-020:.

iDefense provides security intelligence to governments and Fortune 1000 organizations, and provides this daily threat alert to eWEEK.com

/zimages/2/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/2/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.