New Netsky worms change their stripes

New versions of the Netsky e-mail worm are spreading on the Internet and may be the work of a different author than previous editions of that worm, according to antivirus software companies.

Netsky.S appeared on Monday and Netsky.T was detected Tuesday. They are the 19th and 20th editions of an e-mail virus that first appeared in February. Unlike earlier variants, the new Netsky strains open "back doors" on machines they infect, prompting at least one antivirus expert to declare the worm the work of a different virus author.

Network Associates's McAfee Antivirus Emergency Response Team (AVERT) rated Netsky.S a "medium" threat. The company has received around 300 samples from customers and from virus-infected machines, said Craig Schmugar, virus research manager for McAfee AVERT.

The company has received only a few copies of the Netsky.T virus, he said. Sophos PLC said it received just one copy of the Netsky.T worm, according to an advisory.

Like its predecessors, the new Netsky variants target machines running versions of Microsoft's Windows operating system. The viruses arrive as files enclosed in e-mail messages that have faked (or "spoofed") sender addresses and vague subjects such as "Re: My details," "Request" and "Thank You!" according to antivirus company Symantec Corp.

Earlier versions of the Netsky variant abstained from opening communications ports that could be used as so-called "back doors" that remote attackers could use to access the compromised system. They removed copies of the Bagle e-mail worm from infected machines.

Some antivirus experts believe that Netsky's attack on Bagle installations is behind a war of words between the Netsky author or authors and the creators of the Bagle virus family in recent weeks. The two groups have used new worm variants as vehicles for barbs and retorts to previous insults.

In those exchanges, Netsky's author or authors positioned themselves as the "good guys" locked in a battle with online criminals and spammers. One recent variant, Netsky.Q, even contained an impassioned defense of the Netsky worms.

"We don't have any criminal inspirations (sic). Due to many reports, we do not have any backdoors included for spam relaying," read text hidden in Netsky.Q and transcribed by Sophos and other antivirus companies.

However, the latest Netsky variants abandon the high ground, opening a backdoor on TCP (Transmission Control Protocol) port 6789, which could be used to receive instructions or malicious code from the worm author. A message in the new worm tries to make distinctions between opening a back door and installing a remote access Trojan, but does not contain any overt criticisms of the Bagle author, said Schmugar.

"If you look at the 'purpose' behind Netsky, it was trying to uninstall other viruses. Now we're seeing behavior in the new variants like remote access components and DoS (denial of service) attacks," he said.

New variants of Netsky could be linked to a promise by its author, buried in an earlier variant of the worm, that the worm's source code would be released on the Internet.

Antivirus companies have noted differences in the worm's code with variants released since that promise was made in text hidden in the Netsky.K worm, though antivirus companies haven't located a copy of the source code on the Internet yet.

Still, despite new buried messages and slight variations in the worm's use of file attachments and subject lines, even the latest Netsky worm variants are very similar to previous versions of the worm, Schmugar said.

E-mail users should make sure they have antivirus software installed on their computer and consider deploying an Internet firewall if they have not already done so, Schmugar said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?