Cornell Home Page Computing at Cornell Security

VIRUS ALERT: Update on Netsky.Y worm (04/21/04)

Yesterday (April 20), CIT warned that a new e-mail worm that infects Windows systems had been detected at Cornell. At that time, neither the PureMessage/Sophos antivirus filters on CIT's central e-mail systems nor the Symantec AntiVirus software for Windows were catching this virus.

The worm has now been identified as Netsky.Y. The antivirus filters that protect CIT's mail servers were updated late April 20 (5:17 pm) to detect and block this worm. Symantec has also released updated virus definitions (4/20/2004 rev. 34) for Symantec AntiVirus.

Please update your Symantec AntiVirus software and perform a complete system scan. To update, run Symantec AntiVirus and choose Live Update. Or download the file locally or from Symantec.

At this time, CIT is still blocking all e-mail attachments ending in ".com" from the delivery via the CIT mail servers. This was an emergency response to the Netsky.Y worm. Now that more specific countermeasures are in place, we will lift that block April 22 in the afternoon.

What to watch for:

Netsky.Y is contained in an e-mail attachment.

You may have received infected messages that appear to be from people you know at Cornell. That does not necessarily mean the sender's computer is infected. This virus, like many others, mails itself to any e-mail address it finds.

The subject of the message will be something like:

Delivery failure notice (ID-000053BE)

The body of the e-mail will be along the lines of:

--- Mail Part Delivered ---
220 Welcome to [cornell.edu]
Mail type: multipart/related
--- text/html RFC 2504
MX [Mail Exchanger] mx.mt2.kl.cornell.edu
Exim Status OK.

New message is available.

And the attachment will look like a web address (URL) starting with "www." and ending in ".com". DO NOT OPEN THE ATTACHMENT. This will launch the virus.

For more information about e-mail and viruses, see CIT's Warning about e-mail and viruses page.

How to get rid of it:

If you suspect your computer has been infected, visit the Symantec AntiVirus W32.Netsky.Y@mm page for instructions on how to remove the worm. If you need assistance, please contact the CIT Contact Center (HelpDesk).

If you need help, please ask the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.


Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: June 04, 2007