Second Netsky worm on the loose

By Robert Lemos
Posted on ZDNet News: Feb 18, 2004 7:50:00 PM

The new variant, Netsky.B, uses e-mail to sends copies of itself to potential victims--people with computers running the Microsoft Windows operating system. It also stores copies of itself in shared directories, apparently to facilitate its propagation via file-sharing networks.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"The author, it seems, has done something to improve the virus's spread," said Alfred Huger, the senior director of engineering for security firm Symantec.

Symantec rated the virus a three on its five-point scale, while rival Network Associates gave the program a "medium" threat rating. The worm appears only to want to spread itself and not to launch an attack.

E-mail messages carrying Netsky.B come with almost 50 different subject lines and body text, from "I have your password!" to the succinct "OK." It carries a file attachment with a double extension, which can arrive in a variety of formats, including a ZIP archive. The virus sends e-mail on its own and also copies itself to shared directories and so can spread through Kazaa, BearShare, LimeWire and other peer-to-peer networks.

"On the mailing side, this is one of the more successful viruses," said Craig Schmugar, a virus research manager with Network Associates' antivirus and vulnerability emergency response team.

Schmugar said its success is somewhat puzzling because the social engineering--the way the virus's author words the e-mail that carries the program--is so minimalist.

However, the virus may not be wordy, but its e-mail messages do have a significant number of variations, Chris Belthoff, a senior security analyst at Lynnfield, Mass.-based Sophos, noted in a statement.

"Netsky.B is tricky to identify because of the wide variety of subject lines and message texts, but blocking all files with double extensions is an easy way to avoid infection," he said. The use of double extensions--such as .jpeg.exe--is a common trick among virus writers because Microsoft Outlook will remove the final extension hiding the true file type.

Of the two viruses that started spreading this week--Netsky.B and Bagle.b--the latter is more serious, according to Symantec's Huger.

"The Bagle virus's spread was about the same but its payload is much more dangerous," he said.

More information on the virus can be found at CNET Reviews' Virus Center.