W32.Netsky.Q@mm

As of April 11, 2004, due to a decrease in submission rate, Symantec Security Response has downgraded W32.Netsky.Q@mm from a Category 3 level threat to a Category 2 threat.

The W32.Netsky.Q@mm worm:

• Is a mass-mailing worm that consists of two components: a dropper and a mass-mailing component.
• Uses its own SMTP engine to send itself to the email addresses it finds when scanning the disk drives.
• Uses the Incorrect MIME Header Can Cause IE to Execute E-mail Attachment vulnerability to cause unpatched systems to auto execute the worm when reading or previewing an infected message.

The From line of the email is spoofed, and its Subject line and message body vary. The attachment name also varies and has a .exe, .pif, .scr, or .zip file extension.

---

Notes:

• Symantec antivirus products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
• The worm has an MD5 value of 0x04871d17dbbd1911afc76aad6d9dbd20.
• LiveUpdate virus definitions created March 28, 2004 (US Pacific Time) which were released on March 29, 2004 (US Pacific Time) contain detection for this threat.

---

Protection

• Initial Rapid Release version March 28, 2004
• Latest Rapid Release version February 22, 2010 revision 054
• Initial Daily Certified version March 28, 2004
• Latest Daily Certified version February 23, 2010 revision 004
• Initial Weekly Certified release date March 28, 2004

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Medium
• Number of Infections: More than 1000
• Number of Sites: More than 10
• Geographical Distribution: High
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Low

Distribution

• Distribution Level: High