WORM_NETSKY.P, Advise

[Armin]

Hello NG

I received a e-mail from someone with the following text:

"The attachment msg.zip contains WORM_NETSKY.P virus. ScanMail has
Deleted it. Warning to sender. ScanMail has detected a virus in an email
you sent."

First I didn't send a e-mail to this specific person and second I don't
now him/her.

So I think someone "spoofed" my e-mail adress is it? Any chance to find
out how it was e.g. form the mail header ...?

Can something be done from my side to prevent this in the future?
Thanks for advice, Armin

 

[GSV Three Minds in a Can]

Hello NG

I received a e-mail from someone with the following text:

"The attachment msg.zip contains WORM_NETSKY.P virus. ScanMail has
Deleted it. Warning to sender. ScanMail has detected a virus in an
email you sent."

First I didn't send a e-mail to this specific person and second I don't

now him/her.

Of course not, just google (www.google.com, on NETSKY virus) and you'll
see why.

So I think someone "spoofed" my e-mail adress is it? Any chance to find
out how it was e.g. form the mail header ...?

See above. And 'yes, but only if you have the original headers, you
probably can't do it from the little that was sent back to you.

Can something be done from my side to prevent this in the future?

No.

 

[Geese_Hunter]

Hello NG

I received a e-mail from someone with the following text:

"The attachment msg.zip contains WORM_NETSKY.P virus. ScanMail has
Deleted it. Warning to sender. ScanMail has detected a virus in an email
you sent."

First I didn't send a e-mail to this specific person and second I don't
now him/her.

So I think someone "spoofed" my e-mail adress is it? Any chance to find
out how it was e.g. form the mail header ...?

Can something be done from my side to prevent this in the future?
Thanks for advice, Armin

No one spoofed your e-mail, someone has that viruss that has you in
their address book, & since you used your real hotmail account in
newsgroups be very care when looking at messages in hotmail that have
file attachments as you will be getting swen virus in Hotmail.

 

[OrmesbyJohn]

No one spoofed your e-mail, someone has that viruss that has you in
their address book, & since you used your real hotmail account in
newsgroups be very care when looking at messages in hotmail that have
file attachments as you will be getting swen virus in Hotmail.

----------------------
Similar happened to friend foolishly opened an attachment and finds he is
well and truly infected.
He's identified the Worm - Netsky - and Symantec Norton AntiVirus do a fix
for it but he now can't boot up Windows nor log-on line to download and
install the fix....
Is there anyway around this?
I could download the file for him and send it to him on floppy...but how to
proceed from there?
Thanks.

 

[Geese_Hunter]

----------------------
Similar happened to friend foolishly opened an attachment and finds he is
well and truly infected.
He's identified the Worm - Netsky - and Symantec Norton AntiVirus do a fix
for it but he now can't boot up Windows nor log-on line to download and
install the fix....
Is there anyway around this?
I could download the file for him and send it to him on floppy...but how to
proceed from there?
Thanks.

Read my reply to aldo Neukam same problem I replied 10 minutes ago

 

[Aldo Larrabiata]

I got this virus last week checking my mail for one minute without firewall,
just after having installed a brand new disk.
The .pif was attached to a spam I clicked on, viewing it in the pane.
Autoexecutable. I realized that within the millisecond. Too late.

17000 occurrences in my disks by series of 82 files !
In safe mode, I began to clean the registry and the two files I found first.
Then I downloaded the cleaner (fixnetsky.exe) from Symantec and ran it on my
PC and on the server "by precaution".

It cleaned them, YES and a lot more, mixing the files within a partition of
my main PC and altering Windows 98 on my server. The result is that the
second IDE disk is no longer working correctly under windows. The cleaner
didn't complete, detecting a directory error.
I've been mislead by scandisk, I trusted it and I accepted the corrections.
Never ever should I have done that. I destroyed a complete disk contents.
The disk driver was, in fact, damaged by the Symantec cleaner.

I made some quest about the effects of this virus on the net. I didn't find
similar comsequences.

My recommendation is "Be very careful with Symantec cleaners". The cure was
worse than the disease !
I had a very bad experience with Norton in the past. It is now confirmed
with other tools from this firm.


Now from my understanding the virus mechanism may be the following:

First scheme: Somebody stole your e-mail address in an e-mail you sent to a
group (address harvesters)
He sent an e-mail to an unknown address using yours as identified sender,
joining a copy of the virus. The Mail provider SMTP server checked the
incoming mail detecting an error (unknown recipient), returning it to the
sender's valid address: YOU ! And you received the virus as an attachment.

Second one: Netsky scans the disks for .adb .asp .cgi .dbx .dhtm .doc .eml
..htm .html .jsp .msg .oft .php .pl .rtf .sht .shtm .tbb .txt .uin .vbs .wab
..wsh .xml files looking for e-mail addresses. Then it uses them as sender
addresses, using the same process as above.


Hops this will help you

 

[Ant]

I got this virus last week checking my mail for one minute without firewall,
just after having installed a brand new disk.
The .pif was attached to a spam I clicked on, viewing it in the pane.
Autoexecutable. I realized that within the millisecond. Too late.
[snip]

My recommendation is "Be very careful with Symantec cleaners". The cure was
worse than the disease !

My recommendation is:
- Don't be opening your spam
- Turn off the preview pane

It's all part of "safe hex".

 

[FromTheRafters]

I got this virus last week checking my mail for one minute without firewall,
just after having installed a brand new disk.
The .pif was attached to a spam I clicked on, viewing it in the pane.
Autoexecutable. I realized that within the millisecond. Too late.
[snip]

My recommendation is "Be very careful with Symantec cleaners". The cure was
worse than the disease !

My recommendation is:
- Don't be opening your spam
- Turn off the preview pane

It's all part of "safe hex".

Better yet, fix this:

X-Newsreader: Microsoft Outlook Express 5.50.4922.1500

Otherwise any *new* malware using that really, really, really
old autoexecution exploit will getcha.

People are addicted to hourly updates of AV, yet ignore
three year old exploits. Go figure.

 

[Ant]

...

Better yet, fix this:

X-Newsreader: Microsoft Outlook Express 5.50.4922.1500

Otherwise any *new* malware using that really, really, really
old autoexecution exploit will getcha.

People are addicted to hourly updates of AV, yet ignore
three year old exploits. Go figure.

I'm not into the MS patchwork quilt game; more into disabling
services and locking down/configuring apps. But good advice.

 

[Herbert West]

...


I'm not into the MS patchwork quilt game; more into disabling
services and locking down/configuring apps. But good advice.

Better yet, why even use mail clients that are vulnerable to exploits?
Besides disablong and locking ports, services etc, I don't use OE.
Instead, I use Pegasus, Eudora, and Forte Agent on my systems,
avoiding the problem before it even starts. No need to turn off
dangerous default options or seek and install twice-weekly security
patches.

 

[FromTheRafters]

Better yet, why even use mail clients that are vulnerable to exploits?

I know what you are saying, but it is easier said than done. Most if not
all programs are susceptible to having flaws. The more complex the
program is, the more likely it is that mistakes were made. Sometimes
even the concepts are bad to begin with.

Please don't assume that I am defending Microsoft, I am only
stating here what I believe to be fact.

Besides disablong and locking ports, services etc, I don't use OE.

Many people whos opinions I respect don't use OE, or wouldn't
if it weren't necessary for them to do so for some reason. Most
that use alternatives do so because they tired of constantly having
to fix yet another security hole.

Instead, I use Pegasus, Eudora, and Forte Agent on my systems,
avoiding the problem before it even starts.

I use "Proxomitron" and "MailWasher" in order to supplement the
configureability of IE and OE respectively. Many of the exploits
written for IE and OE were actually just different ways to get past
the "BandAid" patches supplied by Microsoft - when the deeper
vulnerability was never addressed by them. Being that this is only
a recreational machine to me, I am able to use work-arounds that
I feel are sufficient protection for most of those exploits.

No need to turn off
dangerous default options or seek and install twice-weekly security
patches.

I hope that you are still keeping a watchful eye on any vulnerabilities
which may exist for the applications that you *do* use instead of just
thinking that "not Microsft" equals "not broken".