Recent NetSky Variants
Overview: Zone Labs is monitoring the continued spread of the NetSky virus and recent variants. NetSky and its variants range in risk level, however the newer versions (NetSky.T; NetSky.U) currently spreading continue to present a significant risk to computer users. Therefore, these variants have been classified "High Risk."
Date Published: April 8, 2004
Last Update: August 18, 2005
Impact: Recent NetSky variants attempt to compromise system integrity in several ways:
- Harvesting email addresses
- Acting as a backdoor on an infected system
- Spreading via email
- Enabling Denial of Service attacks
Description: These NetSky variants spread via email attachments ending in .pif extension.
Upon execution, the worm creates a new file with one of the following names:
and creates one of the following registry keys on the infected host:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EasyAV = "%Windows%\EasyAV.exe"
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SymAV = "%Windows%\SynAV.exe"
The virus also attempts to open a backdoor on a single TCP port:
Zone Labs Products
ZoneAlarm® Pro, ZoneAlarm® Plus
ZoneAlarm Pro, and ZoneAlarm Plus prevent infection through Inbound MailSafe Protection. Furthermore, Program Control will alert the computer user if malicious code attempts to access the network.
Users of the free ZoneAlarm product should consider upgrading to ZoneAlarm Pro to take advantage of MailSafe protection.
Computer users will receive a ZoneAlarm Alert if this virus infects their system and attempts to open a TCP port. When prompted, Zone Labs users can select "No" to deny this application server access.
Recommended Actions for ZoneAlarm Pro, ZoneAlarm Plus:
- Ensure Inbound MailSafe Protection is enabled and the .pif extension is set to quarantine
- Monitor Program Control alerts for processes named: EasyAV.exe; SynAV.exe
- Do not allow these two process names to act as a server on port: 6789/TCP
- Update antivirus products to provide the most up-to-date protection
Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: http://www.zonelabs.com/support/. To report security issues with Zone Labs products contact email@example.com.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Copyright: ©2004-2005 Zone Labs LLC
All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative
Enforcement are registered trademarks of Zone Labs LLC The Zone
Labs logo, Check Point Integrity and IMsecure are trademarks of Zone
Labs, Inc. Check Point Integrity protected under U.S. Patent No. 5,987,611.
Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service
mark of Zone Labs LLC All other trademarks are the property of
their respective owners.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by Zone
Labs. Reprinting the whole or part of this alert in any medium other
than electronically requires permission from Zone Labs.