Another Internet cloggier under way

February 27, 2004

Another mass mailing worm, Netsky, appears on the Net. MessageLabs, an e-mail management company, claims to have stopped more than 1.3 million e-mail since the virus started spreading, which beats MyDoom spreading rate by about 10 times. The infection rate is believed to be increasing rapidly.

As other worms appeared this year, Netsky does require the user to open the attachment with the e-mail. "These days it's less to do with technology, with the code of the virus, and more to do with social engineering," says David Banes of MessageLabs.

The worm appears in the Inbox using a spoofed "from" address and a subject line chosen from one of the following: hi, hello, read it immediately, something for you, warning, information, stolen, fake, unknown. The body of the e-mail contains a variety of messages, and the attachment will normally have a double-file name or be a zip file. When the file is opened it displays a message "The file could not be opened!" before the virus activates.

After activation, Netsky scans the infected computer hard and shared drives for e-mail addresses and then uses its own SMTP engine to mail itself to those addresses. The worm also searches for shared folders and copies itself to those folders using a variety of file names, masquerading itself under various names as tools, patches, cracks, screen savers and porno pictures.

Like Nachi, Netsky attempts to clean the MyDoom virus by closing the backdoors open by that virus and removing it from the system. Netsky also contains several lines of text that might explain why it attempts to eliminate MyDoom:

<-<- we are the skynet - you can't hide yourself! -
we kill malware writers (they have no chance!)
- [LaMeRz-->]MyDoom.F is a thief of our idea!
- -< SkyNet AV vs. Malware >- ->->

Discuss this article on the Forum