I wonder if the creators of these viruses will ever realize how much more good than harm they could do for the world with this kind of talent. - Serena.
Netsky.B Tunnels Through Windows Systems
Friday, February 20, 2004
A particularly nasty virus is spreading over the Internet, attacking via e-mail and then rapidly infecting the hard drives of computers running Microsoft (Nasdaq: MSFT - news) Windows systems.
The Netsky.B worm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives. It searches the drives for folder names containing "share" or "sharing," and then copies itself to those folders. The virus also attempts to deactivate the MyDoom.A and MyDoom.B viruses.
The worm presents a problem for businesses and consumers, because it is capable of spreading through peer-to-peer software. It also represents an emerging and troubling trend toward blended threats, which use more than one spreading mechanism.
Cluster Bomb Attack: Netsky.B is a "cluster bomb" worm, explained Ken Dunham of security firm iDefense. "This virus can create as many as 300 copies of itself in a network once it is inside," he told NewsFactor.
Another distinguishing characteristic of Netsky, compared to other recent worms, is that it does not leave open the back door, said Jimmy Kuo a research fellow at McAfee AVERT, an arm of Network Associates (NYSE: NET - news). "The file-sharing mechanism is helping this virus spread rapidly."
As such, the virus is adding hundreds of files to each of the infected machines, and shows no signs of slowing down, Kuo told NewsFactor. He recommended that when users retrieve files they should scan them first, and/or make sure there are not multiple extensions in files received.
As of Thursday morning, Netsky.B was spreading in the wild, and Symantec (Nasdaq: SYMC - news) raised the threat level associated with it from three to four (five is the highest). "I don't think this has reached its peak yet," Dunham said.
Networks Are Vulnerable: "The sharing mechanism could have a dramatic impact on networks," said Dunham. Some 100,000 Netsky.B interceptions have been made worldwide, he noted, although the number of infected machines is lower.
Using spoofed "from" addresses, the worm employs an array of subject headings, such as "hi," "hello," "read it immediately," "something for you," or "warning," in an effort to get recipients to open the infected e-mail attachment.
The Netsky virus, also known as "Moodown," first emerged earlier this week, and initially spread rapidly in Europe. The B variant was first detected on Wednesday.
Turn Off Unused Services: As with previous worms, users should be wary of opening any e-mail attachments and are advised to upgrade their security software or get the appropriate software patches.
Also, Symantec advised that users and systems administrators should turn off and remove any unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet and a Web server. If they are removed, blended threats have fewer avenues of attack, and there are fewer services to maintain through patch updates.
Netsky.B Tunnels Through Windows Systems
Friday, February 20, 2004
A particularly nasty virus is spreading over the Internet, attacking via e-mail and then rapidly infecting the hard drives of computers running Microsoft (Nasdaq: MSFT - news) Windows systems.
The Netsky.B worm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives. It searches the drives for folder names containing "share" or "sharing," and then copies itself to those folders. The virus also attempts to deactivate the MyDoom.A and MyDoom.B viruses.
The worm presents a problem for businesses and consumers, because it is capable of spreading through peer-to-peer software. It also represents an emerging and troubling trend toward blended threats, which use more than one spreading mechanism.
Cluster Bomb Attack: Netsky.B is a "cluster bomb" worm, explained Ken Dunham of security firm iDefense. "This virus can create as many as 300 copies of itself in a network once it is inside," he told NewsFactor.
Another distinguishing characteristic of Netsky, compared to other recent worms, is that it does not leave open the back door, said Jimmy Kuo a research fellow at McAfee AVERT, an arm of Network Associates (NYSE: NET - news). "The file-sharing mechanism is helping this virus spread rapidly."
As such, the virus is adding hundreds of files to each of the infected machines, and shows no signs of slowing down, Kuo told NewsFactor. He recommended that when users retrieve files they should scan them first, and/or make sure there are not multiple extensions in files received.
As of Thursday morning, Netsky.B was spreading in the wild, and Symantec (Nasdaq: SYMC - news) raised the threat level associated with it from three to four (five is the highest). "I don't think this has reached its peak yet," Dunham said.
Networks Are Vulnerable: "The sharing mechanism could have a dramatic impact on networks," said Dunham. Some 100,000 Netsky.B interceptions have been made worldwide, he noted, although the number of infected machines is lower.
Using spoofed "from" addresses, the worm employs an array of subject headings, such as "hi," "hello," "read it immediately," "something for you," or "warning," in an effort to get recipients to open the infected e-mail attachment.
The Netsky virus, also known as "Moodown," first emerged earlier this week, and initially spread rapidly in Europe. The B variant was first detected on Wednesday.
Turn Off Unused Services: As with previous worms, users should be wary of opening any e-mail attachments and are advised to upgrade their security software or get the appropriate software patches.
Also, Symantec advised that users and systems administrators should turn off and remove any unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet and a Web server. If they are removed, blended threats have fewer avenues of attack, and there are fewer services to maintain through patch updates.
