An Old Virus But Still Nasty

I’ve finally seen my first potentially believable e-mail Trojan. This is one that’s been around a long time; I’ve just never gotten this particular e-mail. The payload is a .zip file containing W32.Netsky.P@mm. According to the Symantec Security Response site, this variant has been known about since March of 2004. It’s one of those payloads that have a couple of pre-created e-mails, and that’s the part that makes this one so insidious.

The body of the e-mail reads:

The sample file you sent contains a new virus version of buppa.k.
Please update your virus scanner with the attached dat file.

Best Regards,
Keria Reynolds

++++ Attachment: No Virus found
++++ F-Secure AntiVirus –

The attachment, the actual viral payload, is named “”

Both the From and the Reply-to headers truly look to the naive as if this came from, though of course it didn’t. For one thing, there’s not as much data as you’d expect in the headers—no IP numbers at all—and for another Symantec doesn’t ever update it’s users via an e-mail attachment. The other oddity of course, is that at the bottom of the email you’ve got that “F-Secure” stamp of approval&and I’m pretty sure Symantec doesn’t use “>a competitor’s products on Symantec’s servers.

But I bet a lot of users would take the e-mail at face value, and click away. I note that a Google search for “Keria Reynolds” results in a number of sites pointing out the problems of taking this virus spam at face value.