NETSKY.B infection, cant find any virus

Discussion in 'Virus Information' started by Anonymous, Mar 22, 2005.

  1. Anonymous

    Anonymous Guest

    Hi!



    I have a problem with the NETSKY.B worm. One of the users gets NDRs from our
    exchange 2003 server every now and then because the recipient doesn't exist.
    But the user says he's never sent the mails in question. The NDR mails
    contains an attachment witch contains the NETSKY.B worm. I've scanned the
    workstation and I did run the F-Secure NETSKY.B worm removal tool from
    F-Secure but it doesn't find anything.

    So any idea's how I can troubleshoot this, so I can figure out where the
    infection is? Btw all mails that get NDR'd are to the same domain.
     
    Anonymous, Mar 22, 2005
    #1
    1. Advertisements

  2. Anonymous

    Catamount Guest

    First, you might want to read up on the Netsky Virus. It forges the
    "from" header. So if someone that this person knows, or has his email
    address in their address book, has the virus, the virus can take his
    address and forge it into the "from" header. So when it goes to a
    non-existant accound or goes to a server that blocks the virus and sends
    an NDR <which is a dumb thing to do IMHO> then it gets bounced to him.
    This does not mean he is infected. This doesn't mean you should check
    into it. You can setup a log to log all his outbound emails, then when
    he gets a bounce message, you can check the logs to see if he sent
    anything out. I am willing to bet he didn't.
     
    Catamount, Mar 22, 2005
    #2
    1. Advertisements

  3. Anonymous

    Anonymous Guest

    Thanks for the info!
    I did read up on the netsky virus on the F-Secure site, but I didn't find
    any info saying that it could forge the from address. However I suspected it
    did.
     
    Anonymous, Mar 22, 2005
    #3
  4. Yes it does - this is why worms harvest addresses - not just for
    spreading. If the from address was hardcoded into the worm they would
    be easy to stop.

    --

    Regards,
    Ian Kenefick
    Got a virus?
    Go to www.ik-cs.com > 'Got a virus?'
     
    Ian JP Kenefick, Mar 22, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.