W32.Netsky.P@mm or other Mass Mailing Virus

[ron]

hi ,

I was wondering if this virus is responsible for emails that i have been
receiving about returned email that was undeliverable,which I have never
sent was sent by this virus. There are never any attachments to them.
Does anyone know ? And they all seem to have the same IP number. At
Symantec, it says that this virus has its own smtp engine,so would it be
using the same isp each time it sends a message,or does it use the users isp
to send its emails ?
Does this virus infect Outlook only or hotmail and yahoo address books as
well ?

Thanks in advance.
Ron

 

[Rob]

ok ... i'm getting shit loads of emails with this virus ... all from the
same infected computer (according to the email headers) but arrive from
spoofed addresses, including yahoo and hotmail , along with a variety of
headers ie undeliverable mail, returned adress etc, some of the files are 2k
others are 42k, if you have decent AV software thats up to date (like mine)
it should keep it at bay and tell you it contains a virus, if in doubt get
an online scan, basically if you are infected it will send itself to
everyone in your address book in outlook .. sorry i cant be anymore helpful
regards
rob

 

[FromTheRafters]

hi ,

I was wondering if this virus is responsible for emails that i have been
receiving about returned email that was undeliverable,which I have never
sent was sent by this virus.

It could be that....or conventional spam. Both can use bogus
or forged addresses.

There are never any attachments to them.

Usually, AV's enroute will add a notification when malware is
removed - so it is probably spam. That is not to say that the
malware couldn't have messed up and not attached the bug,
but this isn't as likely as the possibility that this was just spam.

Does anyone know ?

No, but everyone can guess.

And they all seem to have the same IP number.

That still leaves both of those possibilities.

At Symantec, it says that this virus has its own smtp engine,so would it be
using the same isp each time it sends a message,or does it use the users isp
to send its emails ?

Actually, the "own SMTP engine" means that it is its own e-mail
client as far as sending the e-mails goes. Some use the victim's
ISP's mail server, and some use servers hardcoded into the body
of the worm. Still others attempt to guess at a likely server name
based on the address of the current victim (i.e. [email protected]
-- SMTP.nomad.fake). I'm not sure of the method NetSky.P uses,
probably just uses the server referenced in the registry.

Does this virus infect Outlook only or hotmail and yahoo address books as
well ?

This, like most of the others, looks in several file types (based
on the extension) on the local harddrive for addresses to use.
I don't know whether or not Yahoo or Hotmail has addresses
stored locally.

Anyway, there is not any lack of available addresses on most
peoples harddrives - and even if there were, a mass-mailer
could harvest from usenet as Swen does.

Also, it should be noted that not all malicious content shows
up as "attachments" to e-mail, some are inline content.

 

[ron]

that was very helpful

Ron

It could be that....or conventional spam. Both can use bogus
or forged addresses.


Usually, AV's enroute will add a notification when malware is
removed - so it is probably spam. That is not to say that the
malware couldn't have messed up and not attached the bug,
but this isn't as likely as the possibility that this was just spam.


No, but everyone can guess.


That still leaves both of those possibilities.


Actually, the "own SMTP engine" means that it is its own e-mail
client as far as sending the e-mails goes. Some use the victim's
ISP's mail server, and some use servers hardcoded into the body
of the worm. Still others attempt to guess at a likely server name
based on the address of the current victim (i.e. [email protected]
-- SMTP.nomad.fake). I'm not sure of the method NetSky.P uses,
probably just uses the server referenced in the registry.


This, like most of the others, looks in several file types (based
on the extension) on the local harddrive for addresses to use.
I don't know whether or not Yahoo or Hotmail has addresses
stored locally.

Anyway, there is not any lack of available addresses on most
peoples harddrives - and even if there were, a mass-mailer
could harvest from usenet as Swen does.

Also, it should be noted that not all malicious content shows
up as "attachments" to e-mail, some are inline content.

 

[I'm_A_Victim]

I am also getting hit to the tune foe 140 - 160 virus email a day. I have
had both my yahoo and Bigfoot emial addresses spoofed.

There doesn't seem to be anything I can do. If I don't log on and clean out
this crap daily my mail box gets full.

 

[FromTheRafters]

I am also getting hit to the tune foe 140 - 160 virus email a day. I have
had both my yahoo and Bigfoot emial addresses spoofed.

There doesn't seem to be anything I can do. If I don't log on and clean out
this crap daily my mail box gets full.

Some ISP's offer filters that run on the server so that such
things are not allowed to fill up the mailbox. The only other
way around this that I can think of is to automate your filter
program to periodically weed out the unwanted mail. I use
MailWasher to manually do the weeding - but I only get at
most 50 - 60 spams and very very few malicious e-mails
on a really busy spamming day.