McAfee AVERT Raises Risk Assessment to

Threat Advisory: McAfee AVERT Raises Risk Assessment to Medium on New
Netsky.ag@MM Virus
McAfee AVERT Reports New Netsky Virus In-the-Wild
BEAVERTON, Ore., Oct. 14 /PRNewswire-FirstCall/ -- McAfee, Inc. (NYSE: MFE) the leading provider of intrusion prevention
solutions, today announced that McAfee® AVERT™ (Anti-virus and Vulnerability Emergency Response Team), the world-class
research division of McAfee®, raised the risk assessment to Medium on the recently discovered W32/Netsky.ag@MM, also
known as Netsky.ag. This new variant is a prolific worm that spreads via email, sending itself to addresses found on the victim's
machine. McAfee AVERT researchers have received over 100 samples of Netsky.ag from both real customer submissions and
virus-generated mail -- with most of the samples reported to be from Brazil and Argentina.
Threat Overview
Netsky.ag is a mass mailing threat that contains its own SMTP engine to construct outgoing messages. It harvests addresses
from local files and then uses the harvested addresses in the "From" field to send itself. This produces a message with a
spoofed From address. When run, the worm displays a message box, "File corrupted replace this!" Users should be very wary
and should most likely delete any email containing the following:
From: (address is spoofed)
Subject: (one of the following)
-----------------------------------
0123456789
Abra rapido isso!!!!
acrdito que em voce!!!
algo a mais
AmaVoce
amor me liga
AninhaPutinha +55operado6992292246
arquivo zipado PGP???
Boleto Pague
campanhadafome
encontro voce!
estou doente veja!!!
falea verdade!!!
ferias nos E.U.A
ganhe muita grana
gostaria disso e voce???
grana
Hackers do Brasil
Lembra?
me diz o queacha?
me veja peladinha
Medical Labs Exames!!!
meu telefone liga
olha que isso!!!
parabens!
PizzaVeneza!
Policia SP
pq nao me liga??
preenche ai ta bom
promocao de viajens de fim de ano
Proposta de emprego!!
receitas de bolo!!
retorna logo isso!!
reza de sao tome!!!!.
------------
sinto voce!!
sua conta bancaria zerada
Sua Conta!!
Surto :(
te amo!
tudo sobre voce sabe
Vacina contra o HIV!!
ve ai logo ta
veja detalhes!!!.
veja o que tem no zip e me liga
voce passou :D!!!
Body Text: (one of the following)
----------------------------------------------
PizzaVeneza!
preenche ai ta bom
encontro voce!
veja detalhes!!!.
reza de sao tome!!!!.
Abra rapido isso!!!!
AmaVoce
AMA!
ve ai logo ta
voce passou :D!!!
arquivo zipado PGP???
retorna logo isso!!
me diz o queacha?
estou doente veja!!!
Proposta de emprego!!
tudo sobre voce sabe
promocao de viajens de fim de ano
acrdito que em voce!!!
receitas de bolo!!
veja o que tem no zip e me liga
Boleto Pague
Sua Conta!!
Policia SP
te amo!
parabens!
olha que isso!!!
sua conta bancaria zerada
Vacina contra o HIV!!
Surto :(
ferias nos E.U.A
meu telefone liga
Medical Labs Exames!!!
Hackers do Brasil
amor me liga
Lembra?
grana
sinto voce!!
pq nao me liga??
vaca
campanhadafome
ganhe muita grana
falea verdade!!!
algo a mais
gostaria disso e voce???
me veja peladinha
Threat Pathology
Netsky.ag copies itself to local folders containing string share or sharing, network shares and P2P shared folders. After being
executed, the worm copies itself into the Windows System directory (%WinDir%\MsnMsgrs.exe). The following Registry key is
added to hook system startup:
-- HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev
The worm then emails itself to addresses found on the infected host as a .PIF, .COM, .SCR, .BAT, or .ZIP file.
System Protection and Cure
More information on Netsky.ag and cure for this worm can be found online at the McAfee AVERT site located at
http://vil.nai.com/vil/content/v_128905.htm . McAfee AVERT is advising its customers to update to the 4399 DATs to stay
protected from all the current Netsky threats.
McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing
researchers in thirteen countries on five continents. McAfee AVERT combines world-class malicious code and anti-virus
research with intrusion prevention and vulnerability research expertise from the McAfee® IntruShield® and McAfee® Entercept®
organizations, two research arms that were acquired through IntruVert Networks and Entercept Security. McAfee AVERT
protects customers by providing cures that are developed through the combined efforts of McAfee AVERT researchers and
McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection, and ActiveDAT technology to
generate cures for previously undiscovered viruses.
McAfee, Inc., headquartered in Santa Clara, Calif., creates best-of-breed intrusion prevention and risk management solutions.
McAfee's market-leading security products and services help large, medium and small businesses, government agencies, and
consumers prevent intrusions on networks and protect computer systems from critical threats. Additionally, through the
Foundstone Professional Services division, leading security consultants provide security expertise and best practices for
organizations. For more information, McAfee, Inc. can be reached at 972-963-8000 or on the Internet at
http://www.mcafee.com/ .
NOTE: McAfee, AVERT, IntruShield and Entercept are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates
in the United States and/or other countries. The color red in connection with security is distinctive of McAfee brand products. All
other registered and unregistered trademarks herein are the sole property of their respective owners.
SOURCE McAfee, Inc.
-010/14/2004
/CONTACT: Tracy Ross of McAfee, Inc., [email protected], or
+1-408-346-5965; or Ally Zwahlen of Porter Novelli,
[email protected], or +1-408-571-2331, for McAfee, Inc./
/Photo: NewsCom: http://www.newscom.com/cgi-bin/prnh/20040426/MCAFEELOGO
AP Archive: http://photoarchive.ap.org
PRN Photo Desk, [email protected]/
/Web site: http://www.mcafee.com /
(MFE)
CO:
ST:
IN:
SU:
McAfee, Inc.
California
CPR HTS NET STW MLM
SVY
MC-HD
-- SFTH081 -9009 10/14/2004 15:58 EDT http://www.prnewswire.com
Statements in our press releases regarding McAfee's business which are not historical facts are "forward-looking statements"
that involve risks and uncertainties. All forward-looking statements are based on information available to us on the date hereof.
These statements involve known and unknown risks, uncertainties and other factors, which may cause our actual results to
differ materially from those implied by the forward-looking statements. Although we believe that the expectations reflected in the
forward-looking statements are reasonable, we cannot guarantee future results, levels of activity, performance or
achievements. Therefore, actual results may differ materially and adversely from those expressed in any forward-looking
statements. Neither we nor any other person can assume responsibility for the accuracy and completeness of forward-looking
statements. Important factors that may cause actual results to differ from expectations include, but are not limited to, those
discussed in the "Forward Looking Statements" section of the Company's most current earnings release" and in the Risk
Factors" section of the Company's Quarterly Report or Form 10-Q for the most recently ended fiscal quarter.