Zone Labs Home Security you can trust.
Search Site
    
  
 
Home/Office Products
Download & Buy
Enterprise Solutions
Service & Support
Partner Programs
About Zone Labs LLC
 
Home
Site Map
Privacy Policy
Contact Us

 

Zone Labs Security Advisory Severity: High

Recent NetSky Variants

Overview: Zone Labs is monitoring the continued spread of the NetSky virus and recent variants. NetSky and its variants range in risk level, however the newer versions (NetSky.T; NetSky.U) currently spreading continue to present a significant risk to computer users. Therefore, these variants have been classified "High Risk."

Date Published: April 8, 2004
Last Update: August 18, 2005

Impact: Recent NetSky variants attempt to compromise system integrity in several ways:

  • Harvesting email addresses
  • Acting as a backdoor on an infected system
  • Spreading via email
  • Enabling Denial of Service attacks

Description: These NetSky variants spread via email attachments ending in .pif extension.

Upon execution, the worm creates a new file with one of the following names:

  • %Windows%\EasyAV.exe
  • %Windows%\SynAV.exe

and creates one of the following registry keys on the infected host:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EasyAV = "%Windows%\EasyAV.exe"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SymAV = "%Windows%\SynAV.exe"

The virus also attempts to open a backdoor on a single TCP port:

  • 6789/TCP

Zone Labs Products

ZoneAlarm® Pro, ZoneAlarm® Plus

ZoneAlarm Pro, and ZoneAlarm Plus prevent infection through Inbound MailSafe Protection. Furthermore, Program Control will alert the computer user if malicious code attempts to access the network.

Users of the free ZoneAlarm product should consider upgrading to ZoneAlarm Pro to take advantage of MailSafe protection.

Computer users will receive a ZoneAlarm Alert if this virus infects their system and attempts to open a TCP port. When prompted, Zone Labs users can select "No" to deny this application server access.

Recommended Actions for ZoneAlarm Pro, ZoneAlarm Plus:

  • Ensure Inbound MailSafe Protection is enabled and the .pif extension is set to quarantine
  • Monitor Program Control alerts for processes named: EasyAV.exe; SynAV.exe
  • Do not allow these two process names to act as a server on port: 6789/TCP
  • Update antivirus products to provide the most up-to-date protection

Related Resources:

Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: http://www.zonelabs.com/support/. To report security issues with Zone Labs products contact security@zonelabs.com.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Copyright: ©2004-2005 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs, Inc. Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Zone Labs. Reprinting the whole or part of this alert in any medium other than electronically requires permission from Zone Labs.

 

    Home    Home/Office Products     Download & Buy     Enterprise Solutions     Service & Support     Partner Programs     About Zone Labs  

©1999-2006 Zone Labs LLC All rights reserved.