Norman SandBox reports new unknown worm NetSky.B
- 19 February, 2004 12:43
<p>Capital Security Solutions (CSS) and Norman Data Defense Systems warn against a new Internet mass-mailing worm reported by several users. Norman SandBox technology reports detecting a new worm W32/EmailWorm (named NetSky.B). This is a mass-mailing worm spreading through SMTP. Reports of the worm are so far from customers located in Norway and Benelux.</p>
<p>Norman Data Defense Systems current risk evaluation of the new threat is Medium.</p>
<p>Norman Data Defense Systems SandBox technology makes it possible to catch viruses and other malicious software before virus signatures have been released. The Norman SandBox technology represents a milestone in non-signature based detection of new, unknown viruses' utilizing far superior techniques to those adopted by pure heuristics. This unique technology stops and quarantines the Malware attacking the machine based on behaviour even before any virus signature file is created for this specific threat.</p>
<p>Report from SandBox displayed to users who have installed Norman Virus Control (NVC) or Norman Internet Control (NIC):</p>
Display message box (Error) : The file could not be opened!.
Creates file C:\WINDOWS\services.exe.
Creates value "service"="C:\WINDOWS\services.exe -serv" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
Checks whether computer is connected to Internet.
**Uses IPHLPAPI services.
**Uses IPHLPAPI services.
Connect port 53 [UDP], IP 192.168.0.1.
DNS Server: ID=11DF, Flags=0100, Questions=0001, Answers=0000, Authority=0000, Additional=0000.
-> <victims address="" domain="">
Attempts to resolve name "".
**Connects SMTP server.
To : <fake_email_addr_from_sandbox>.
From : firstname.lastname@example.org.
Mass-mailer; spreads through SMTP.
This description is preliminary and will be updated later on Norman Data Defense Systems web site: http://www.norman.com.
NVC definitions files from Tuesday, 18 February 2004 have support for the worm.</fake_email_addr_from_sandbox></victims></p>
<p>Capital Security Solutions recommends corporate and home users to immediately update installed antivirus products with new definitions files that detect this threat.</p>
<p>We recommend users without protection to download and install an antivirus program immediately.</p>
Mark Karpinski Managing Director, Capital Security Solutions
Telephone +613 9801 0100, fax: +613 9801 0800</p>
<p>Romana McKibben, Sales, Capital Security Solutions
Telephone +613 9801 0100, fax: +613 9801 0800