Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
A new version of the Netsky e-mail worm is programmed to attack peer-to-peer networks. It bears messages blaming users for spreading viruses and claiming its authors are crusading against hacking, antivirus software companies warn.
Netsky.Q first appeared on Monday and is spreading on the Internet. It is the 17th variant of the worm to be released since Netsky first appeared in February, antivirus companies say.
All leading antivirus companies have released new signatures designed to detect and nullify Netsky.Q, and they recommend that customers update their antivirus software.
Identifying the Variant
The Q variant arrives in e-mail file attachments with a .pif (Program Information File) or .zip file extension. Netsky also tries to exploit a long-patched Microsoft security hole that allows file attachments to be launched automatically when the e-mail message is read, according to F-Secure of Helsinki.
Netsky.Q messages are disguised to look like "returned e-mail" error messages that might be generated by a company's e-mail servers. The infected messages bear subject lines such as "Delivery Error," "Error," and "Server Error." When opened, the e-mail displays messages such as "Mail Delivery--This mail couldn't be displayed." They typically claim to contain a version of the rejected message as a "binary attachment," enticing users to click on the virus file, F-Secure says.
Like earlier versions of Netsky, the new version installs itself on Windows machines when the file attachment is opened. It also combs the infected machine's hard drive and harvests e-mail addresses from a variety of file types.
Netsky.Q is programmed to mail copies of itself on March 31, 2004, and April 5, 12, 19, and 26, 2004, to addresses it finds, says the British security firm Sophos.
Netsky's Message
Computers infected with the new worm variant are also programmed to launch a denial of service attack on a number of peer-to-peer and pirated-software Web sites, including Kazaa.com, Edonkey2000.com and Cracks.am on April 7 and 12, 2004, F-Secure says.
A message buried in the worm's code may explain the programmed attacks on peer-to-peer networks. In the message, the Netsky author or authors claim to represent a benevolent group called "SkyNet Antivirus Team" based in Russia. The message text tries to draw distinctions between the group's creation and other worms that open back doors on infected computers that can then be used to relay spam messages or to facilitate future hacking.
"We don't have any criminal inspirations [sic]. Due to many reports, we do not have any backdoors included for spam relaying," text hidden in the worm and transcribed by Sophos and other antivirus companies reads.
Netsky's authors have been locked in a war of words with the creators of the Bagle virus family in recent weeks. The two groups have used new worm variants as vehicles for barbs and retorts to previous insults.
The Netsky authors also declare their opposition to "hacking, sharing with illegal stuff and similar illegal content," according to the message.
As for the computer users harmed by their worm, the authors say users need better education, not software updates from antivirus companies.
