Another worm W32/Netsky.p ? Real or Con?

mike65

I got this in the mail today (3 times)

Our content checker found
virus: W32/Netsky-P
in email presumably from you (<*****@gofree.indigo.ie>), to the following recipient:
-> info@native-instruments.de

Please check your system for viruses,
or ask your system administrator to do so.

Delivery of the email was stopped!


For your reference, here are headers from your email:

---

BEGIN HEADERS

---

Return-Path: <carterm@gofree.indigo.ie>
Received: from native-instruments.de (p50847FE9.dip.t-dialin.net [80.132.127.233])
by mail.bln.native-instruments.de (Postfix (Flood) NI) with ESMTP id B15F62D47D0
for <register@native-instruments.de>; Thu, 6 May 2004 17:20:20 +0200 (CEST)
From: ******@gofree.indigo.ie
To: register@native-instruments.de
Subject: Information
Date: Thu, 6 May 2004 17:20:25 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0016----=_NextPart_000_0016"
X-Priority: 3
X-MSMail-Priority: Normal
Message-Id: <20040506152020.B15F62D47D0@mail.bln.native-instruments.de>

---

END HEADERS

At the bottom is an attactchment which I have'nt touched.

Attatchment387dat.

Is this a con warning? I do not have an e-mail contact for Native Instruments, a site I visit now and then.

I just scanned my windows folder with updated checker and found nothing...

Mike.

tibor

Real or con?
Well, it's both. Your "content checker" found the virus in a mail purporting to be from you. That much is real.

The con? Netsky.P, and most mass mailers these days, spoof the "From" address in emails they send. After scanning an infected computer for email addresses, it'll pick one at random and fire off mails purporting to be From that address. So, basically, what's happened is, someone who has your email address on their system - either as a contact in outlook, in a sent/recieved mail, or in a file on their system - has become infected with the worm, and the worm has randomly chosen your address as the "From" address for an email to another address found on that system(in this case register@nativeinstruments).

Having these kind of messages bounced back to you is, unfortunately, a fairly regular occurance with the currnt plethora of mass mailing worms running rampant. The worrying thing however would be that it's your own content checker bouncing it back to you, which would seem to indicate that the person infected in this case is from within your organization.

see
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.p@mm.html
http://vil.nai.com/vil/content/v_101119.htm
for more details on exactly how the worm works.

mike65

I'm the only one in my organisation!

Mike.

iano

Mike,
All you can say is that someone who has been infected has both your e-mail address and the "target" address (register@native-instruments.de) on their infected machine. This could be in the address book or in any one of a whole lot of document types.

The clue is the address 80.132.127.233, which indicates that the infected user is a customer of T-online in Germany.

You will probably receive some virus e-mails from the same source. The "from" e-mail address will be similarly forged.

mike65

Originally posted by iano
Mike,
The clue is the address 80.132.127.233, which indicates that the infected user is a customer of T-online in Germany.

You will probably receive some virus e-mails from the same source. The "from" e-mail address will be similarly forged.

Bingo!

http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=80.132.127.233&do_search=Search

Mike.

tibor

heh, seems I misread the original post. Didn't see the quote, thought you were saying your content checker found it.... nothing to worry about then, just delete it.