Home / News & Blogs

Second Netsky worm on the loose

Robert Lemos | February 18, 2004 7:50 PM PST

Summary

A second variant of the virus, which first popped up this week, has started to infect a significantnumber of PCs by convincing their owners to open an e-mail attachment.

Topics

Robert Lemos
The second version of a two-day-old virus, Netsky, has startedspreading more successfully than its parent, antivirus researchers saidon Wednesday.

The new variant, Netsky.B, uses e-mail to sends copies of itself to potential victims--people with computers running the Microsoft Windows operating system. It also stores copies of itself in shared directories, apparently to facilitate its propagation via file-sharing networks.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"The author, it seems, has done something to improve the virus's spread," said Alfred Huger, the senior director of engineering for security firm Symantec.

Symantec rated the virus a three on its five-point scale, while rivalNetwork Associates gave the program a "medium" threat rating. The worm appears only to want to spread itself and not to launch an attack.

E-mail messages carrying Netsky.B come with almost 50 different subject lines and body text, from "I have your password!" to the succinct "OK." It carries a file attachment with a double extension, which can arrive in a variety of formats, including a ZIP archive. The virus sends e-mail on its own and also copies itself to shared directories and so can spread through Kazaa, BearShare, LimeWire and other peer-to-peer networks.

"On the mailing side, this is one of the more successful viruses," saidCraig Schmugar, a virus research manager with Network Associates'antivirus and vulnerability emergency response team.

Schmugar said its success is somewhat puzzling because the socialengineering--the way the virus's author words the e-mail that carriesthe program--is so minimalist.

However, the virus may not be wordy, but its e-mail messages do have asignificant number of variations, Chris Belthoff, a senior securityanalyst at Lynnfield, Mass.-based Sophos, noted in a statement.

"Netsky.B is tricky to identify because of the wide variety of subjectlines and message texts, but blocking all files with double extensionsis an easy way to avoid infection," he said. The use of double extensions--such as .jpeg.exe--is a common trick among virus writers because Microsoft Outlook will remove the final extension hiding the true file type.

Of the two viruses that started spreading this week--Netsky.B andBagle.b--the latter is more serious, according to Symantec's Huger.

"The Bagle virus's spread was aboutthe same but its payload is much more dangerous," he said.

More information on the virus can be found at CNET Reviews' Virus Center.

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity