NetSky Worm Spreads via Email Attachments


Fake USA Hosting emails spread NetSky worm

Security researchers from Kaspersky have been analyzing a cybercriminal operation that relies on a worm dubbed NetSky.

Cybercriminals are distributing Email-Worm.Win32.NetSky.q by attaching it to various types of emails. However, unlike other spam runs, in which the same email is sent to a large number of addresses, in this case, various types of malicious emails are sent to the same address.

During their analysis, Kaspersky experts first spotted an email that purported to come from PayPal, then one from USA Hosting and one from Symantec.

The fake notifications contain a line or two of text that reads something like “your bill is attached to this email” or “Your email account is expired. See details to activate it.” The message that apparently comes from Symantec warns recipients of a virus infection.

The file attached to these emails is a variant of the NetSky worm. Once it infects a computer, the threat searches all email addresses, and sends them a message containing a copy of itself.

Interestingly, if email addresses that belong to an antivirus company are found, they are ignored.

It’s worth noting that the emails are sent over longer periods. Kaspersky says that the three notifications they received came over the course of a month.

Fortunately for users, these malicious messages are easy to identify because they look nothing like the legitimate emails sent out by PayPal, USA Hosting or Symantec. They don’t contain any logos and the fact that they instruct users to open an archive file that’s attached to the email is highly suspicious.

If you come across such emails, delete them. If you’ve already opened the attachment, scan your computer with an updated security solution. It might also be wise to notify your contacts about the emails that might have been sent from your device.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s