The subject line of infected e-mails includes very ordinary comments such as "re:details," "re:hello," "re: thanks" or "re: hi".
The e-mail arrives with an attached PIF (program information file) which will rapidly replicate itself, slowing down computers and bandwidth. The message body usually reads "Here is the file" or "Please have a look at the attached file".
Although not as damaging as MyDoom, which targeted Microsoft's Web site, the new Internet worm overloads Web servers with infected e-mails and play a funny tune on the infected computers. It does not, however, harm computers by deleting files or attacking anything.
The success of Netsky.D is also due to its ability to search for e-mail addresses to send itself to on machines connected through corporate networks to contaminated machines. From just a single infected machine, it can get hold of e-mail addresses stored on a corporate computer network.
Since Netsky.D has no expiry date, it will spread itself infinitely and will remain a menace, clogging up the internet and corporate networks with infected e-mails for some time to come.
Chy Chuawiwat of Clearswift believes that the worm was the work of a copy cat in Russia. "We suspect some Russian mob copied the Sobig code and modified it, since all the clues are pointing to Russia".
Users are advised to block executable file types of .PIF (and as a matter of routine, .COM, .EXE, .SCR and .BAT) using the filename blocker and/ior the date type manager. Aside from that, clean up your PC and apply antivirus signature updates as and when available.
The worm tries to disable the computer's anti virus software, allowing it to spread freely to other computers. However, Chuawiwat believes the Netsky.D is not a huge threat -- rather, an interesting variation. His advice is for companies to block this virus at the gateway so it does not harm their systems. He adds the worm has attracted very little discussion among companies, which goes to show how relatively low the impact is compared to the MyDoom and Sobig viruses.