Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

NetSky.C Worm

Attack ID: CPAI-2004-08
Publish Date:
Last Update:
Category: Worms and Viruses
Vulnerable Systems: Windows 95, 98, ME, NT, 2000 and XP
Source:

Check Point Virus information Center
Description:

This worm spreads via email, using its own SMTP engine, and scans all drive letters C through Y, looking for directory names containing the "shar" string and copies itself to the directory found.

One of NetSky's multiple variants, W32.Netsky.k@mn, arrives as an attachment with .pif extension and spoofs the "from" address.
Severity:
Details: Netsky _worm is a memory-resident worm that propagates through its own SMTP engine and drops copies of itself to network shares. Upon execution, it creates several threads which are responsible for its mass mailing, finding email addresses and performing of its payload, generating network congestion and beeping sounds.
Attack Detection:

Using SmartView Tracker, you can identify multiple dropped SMTP attempts from various hosts on the network. You can also detect multiple attempts to access shares beginning with the "shar" string, an example for such a log entry would be "CIFS worm pattern detected: share"

Using SmartView Tracker, you will also be able to identify attempts to receive SMTP and HTTP traffic that contain attachments with the .pif extension.

Users of Check point Integrity:

  • Monitor the Integrity Program Events Report for processes named: EasyAV.exe; SynAV.exe
  • Monitor the Integrity Firewall Events Report for firewall events on: 6789/TCP
Solution:

Users of InterSpect and VPN-1 NG with Application Intelligence R54 and above can manually add a pattern to the "File and Print Sharing" worm catcher to prevent the worm’s propagation through network shares:

  1. From the SmartDefense menu select Application Intelligence > Microsoft Networks
  2. Mark "File and Print Sharing"
  3. Click the Add button.
  4. Enter NetSky in the Name field
  5. Enter string Shar in the pattern string window
  6. Press ok
  7. Install policy on all modules

WARNING: Applying this pattern may create false positives, as the string "shar" may be contained in many network shares. Therefore, apply with great caution and as a temporary mean of containing the worm’s propagation.

InterSpect users may use the Peer-To-Peer option in SmartDefense I to block Peer-To-Peer applications on all ports, thus blocking the worms propagation through these applications.

Users of all FireWall-1 versions can block outgoing SMTP traffic from all hosts in the network except the mail servers and use the security server to block potentially dangerous file extensions from coming into the network via SMTP, using the security server. Please refer to CPSA-2003-01 for further mitigating techniques for worms and viruses.

NetSky.k (a new NetSky variant):
W.32 NetSky.K is one of the worm's variants, discovered March 8, 2004 (Reference: Symantec).

Users of FireWall-1/NPN-1 should define SMTP and HTTP Security Servers to strip potentially affected files with the .pif extension from email messages and Web traffic.

To define the SMTP Security Server:
SMTP Resource > Action 2 tab > In the Strip file by name field, enter {*pif}

To define the HTTP Security Server:
URI Resource > Action 2 tab > In the Strip file be name field, enter {*.pif}

Users of Check Point Integrity:

Check Point Integrity clients are protected through Inbound MailSafe Protection. Furthermore, Program Control will alert the computer user if malicious code attempts to access the network.

1. Within Policy Studio > Messaging Rules > Inbound MailSafe Protection, ensure attachments with the .pif extension are set to quarantine.
2. Update anti-virus products to provide the most up-to-date protection

 
Industry Reference:
Additional Information: