NetSky worm hits notebook.But notebook -scan clean

Discussion in 'malware problems & news' started by Tiza74, Apr 12, 2004.

Thread Status:
Not open for further replies.
  1. Tiza74

    Tiza74 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    5
    Hi all,
    I have a another case. One of my user had just been issued a notebook running WinXP Professional, we are using Lotus Notes Email client.
    The user require to connect to the Internet via Broadband, so we did a test on the notebook.

    Once plugged into the Broadband (local ISP), the user received lots of delivery failure emails - for emails that he had not sent. He received like 50+ of such emails. The funny thing is it only happened when we plugged in to the Broadband.

    So we scan his notebook, using the virus removal tool and the McAfee VirusScan - nothing detected.

    I made an enquiry to antivirus vendor, whether the worm (Netsky) is able to retrieve the email addresses from a remote system without infecting it. But they say it's not possible.

    for now that the notebook is not on Broadband, it is okay.

    Which leave me puzzled, can anyone enlighten me? IS there something about this worm that is not yet discovered?

    Thanks :doubt:
     
  2. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    First: LoNo is not vulnerable to these worms. Besides, you probably run a corporate virusscanner on your boundery. I would say Sybari Antigen for scanning LoNo traffic.
    I'm a bit puzzled: How did you test this stand alone setup? Did you use LoNo client, or Outlook? What mailserver did you use? Is the notebook equipped with a virusscanner?

    These worms can affect a system in a few ways.
    First: you can receive the mail with the worm attachment formeither someone you know, or someone you don't. The sender address is not the correct one, it is spoofed, so don't bother contacting them.

    Second: you'll receive mail failure messages. The come from (mostly) companies) who receive a worm infected attachment. Their corporate mailscanner will reply back to the sender, remember the spoofed sender address.

    When on a protected corporate network, most of the first kind will be removed. The second type is not an infected mail, so it will pass through, unless your mailscanner absorbes these messages.

    When you connect a notebook to the internet directy, the professional protection is gone and mail will be received by the mail client. I suppose you tested by using Outlook instead of LoNo?
     
  3. Tiza74

    Tiza74 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    5
    We didn't actually test it, we were teaching the user how to use his notebook with a broadband connection.

    Yup, the client is a Lotus Notes client R5.12 and the mailserver is Lotus Notes.
    The notebook is installed with McAfee VirusScan Enterprise 7.1 (running latest signature file).

    The problem is we didn't have any OutLook installed on the notebook. I was thinking - the NetSky don't need to have the a mail client installed on the system, right? As it already has its own SMTP engine.

    The emails that we received are already cleaned - the puzzling thing is why these emails was triggered at the moment of time - i.e. when the notebook was plugged in to the broadband.

    Thanks.
     
  4. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Strange this :)

    Netsky doesn't need a mail server to send itself from the workstation, but it would need a mailserver in able to be reachable by the mail client. One other possibility is that the user connects to a shared drive. So, if there's a share to an infected drive, that could trigger the virusscanner.

    But I can't figure out where these mails come from... o_O
     
  5. Tiza74

    Tiza74 Registered Member

    Joined:
    Apr 12, 2004
    Posts:
    5
    Yup, that's the thing. It's very strange. I'm not sure how to explain this to the user either. As for the shared drive, since it's connecting to the Broadband - very difficult to trace if there was any shared drive.

    I'm still searching - if there was any possibility of a new variant of the worm that is capable of doing so. If that's the case, I guess it'd mean more trouble.

    Thanks.
     
Loading...
Thread Status:
Not open for further replies.