Latest Netsky variant

Printable View

April 19th, 2004, 12:50 AM
Vorlin

Latest Netsky variant

According to this article here, the latest variant of Netsky doesn't even need anyone to open an attachment as it uses XML (which can be rendered through an email client in a preview pane). Downright scary!

Quote:

This new V variant has malicious XML code hidden in the message body of the email. When a user opens the email to read it, the code automatically seeks out a known object validation vulnerability in Microsoft Corp.'s Outlook and Internet Explorer software. The vulnerability allows the malicious code to be trusted, installed and executed on the local system.

Once the computer is infected, the malicious code will install a backdoor that listens to TCP ports 5556 and 5557. Netsky-V is designed to launch denial-of-service attacks on several Web sites between April 22 and April 28. The sites to be attacked include kazaa.com; emule.de; cracks.am; freemule.net, and keygen.us.

If you're using Outlook/IE/OE, better start looking for an alternate email client, however, it makes me wonder how much longer it is before we see a strain written to detect what client you're using (I use Opera's for example) and alter code accordingly...at run-time.

EDIT: possible "workarounds" would be to immediately deny all traffic leaving out of ports 5550-5560 (if you have a software firewall or a router) to prevent your ISP shutting you down because you were part of a possible DDOS.
April 19th, 2004, 12:54 AM
PM8228

Quote:

The sites to be attacked include kazaa.com; emule.de; cracks.am; freemule.net, and keygen.us.

I bet RIAA has a hand in this... ^_^ That is pretty freaky, however I use Mozilla. Also..., just turn off HTML.

-Cheers-
April 19th, 2004, 01:05 AM
Vorlin

Agreed, and I'll only be using IE to "update" windows, rofl...

Glad Opera's not tied to the system in any sense and will render XML just fine.
April 19th, 2004, 04:39 AM
Tedob1

maybe its just me but this virus sounds allot more like the work of the mydoom gang...opening ports to download smtp servers and DoSing sites to cover their intentions
April 19th, 2004, 05:02 AM
PM8228

Quote:

maybe its just me but this virus sounds allot more like the work of the mydoom gang...opening ports to download smtp servers and DoSing sites to cover their intentions

You think it's spammers using DoS as cover to get SMTP servers/mass mail?

-Cheers-
April 19th, 2004, 02:29 PM
nihil

IMHO,

The preview pane should not be there anyway..................it is a damn stupid idea.............all you need is one e-mail with a corrupted header and that freezes your box...........then you have to reboot.......................then you want to delete the offending item.................so you open the e-mail client and it immediately "previews" the corrupted header of the first record..........

Could keep a guy amused for hours :D

My message is DISABLE the preview pane in ALL mail servers that have one.

Cheers
April 19th, 2004, 04:12 PM
Tedob1

PM8228 not actually the spammers but a group of black hats (looks like russians) that are spreading thier back doors using worms. they upload smtp engines then sell them to spammers. the original netsky gang was warring with the doom group by releasing netsky which killed the back doors and removed the reg entries for various worms put out by the 'doom' group. they were also making threat to each other in comments in the code of the worm itself. the original mydoom was aimmed to DoS sco's site but these cats could really care less about sco and corporate struggles. they steal identies and and hi-jack computers to be sold to spammers. DoSing the site was just a deversion. so i guess the answer would be yes i do think that. i just find it an interesting turn that the name netsky is being used for a 'mydoom gangs' type worm.