This variant of W32/Netsky is similar to previous variants of W32/Netsky, however the virus does not spread as an email attachment, but rather as a hyperlink pointing to an infected system. It bears the following characteristics:
* infects by spreading exploit script, which automatically downloads and executes the virus from a remote infected system constructs messages using its own SMTP engine
* harvests email addresses from the victim machine
* spoofs the To: and From: address of messages
* opens a port on the victim machine (TCP 5556 & 5557)
* delivers a DoS attack on certain web sites upon a specific date condition
EMAIL TO AVOID OR BLOCK (this uses URLs and not attachments)
Subject: (any of the following)
·Gateway Status Failure
·Mail delivery failed
·Mail Delivery Sytem failure
·Server Status failure
Message body: (any of the following)
·Converting message. Please wait....
·Please wait while converting the message...
·Please wait while loading failed message...
·The processing of this message can take a few minutes...
MICROSOFT SECURITY BULLETINS - THAT HELP TO PREVENT INFECTION
Netsky.V relies on several unpatched vulnerablies as noted below:
HOW NETSKY.V INFECTS A SYSTEM
Step 1. W32.Netsky.V@mm constructs the message body using the Microsoft Internet Explorer XML Page Object Type Validation Vulnerability (CAN-2003-0809 / Microsoft Security Bulletin MS03-040). Successful exploitation of this vulnerability could allow a malicious object to be trusted and as such be installed and executed on the local system. The composed email body contains the object that points to the following source:
Step 2. As a result, the victim computer will query the index.html page from the HTTP server, that is installed on the infected computer and listens on port 5557.
Step 3. Once the HTTP server accepts incoming connection, it will forge an HTML-page that exploits the Microsoft IE5 ActiveX "Object for constructing type libraries for scriptlets" Vulnerability (CVE-1999-0668 / Microsoft Security Bulletin MS99-032).
Step 4. The code contained in the viral index.html file will run the ftp.exe to connect to the FTP server, listening on port 5556 on the infected computer, and query the worm executable.
Step 5. The worm executable will be retrieved and executed locally.