By Staff Writer E-Commerce Times
02/19/04 9:49 AM PT
Users receiving Netsky.B files on Windows machines -- regardless of mail clients -- might not have the ability to check for double extensions. If users have their machines set to hide file extensions, Windows won't show the actual executable extension, which might lead users to believe they are simply opening a text file, Forrester Research analyst Jan Sundgren told the E-Commerce Times.
How Much is 'Free' Costing You? Learn how DaveRamsey.com saw a 567% uplift in ROI with Omniture. This complimentary guide and webinar cover the most important factors in selecting an analytics solution. Download Now.
A new worm known as Netsky.B emerged Wednesday. It is the second worm in the Netsky family; an earlier version, Netsky.A, was first identified Tuesday. According to Trend Micro's Web site, Netsky.B has an overall risk rating of medium, despite having a high potential for distribution and damage.
However, Chris Belthoff, senior security analyst at antivirus company Sophos, told the E-Commerce Times that Sophos does not rank worms and viruses because doing so goes against the firm's philosophy.
"It is confusing to try to decipher and understand why a virus is given a certain ranking," Belthoff said. "A virus is a virus. Once it is detected, we have a duty to protect our customers. We are not going to just rank them and have our customers wait for the next weekly update."
The Setup
Netsky.B, which has been reported primarily in Western Europe and Japan, spreads mainly by e-mail, though it also propagates through file-sharing networks like Kazaa. Like many recent worms, it cloaks itself in attractive subject lines and body text, offering files that appear to offer the intended victim something useful. In fact, the files attached to the malicious e-mail have double extensions -- the first seemingly innocuous, the second an executable one -- and use Microsoft (Nasdaq: MSFT) Word icons to disguise themselves.
"There's always a certain amount of psychology built into [these worms]," Belthoff said. "These files look normal to the average user who is not security-aware."
E-mail attachments associated with the worm include "serial.txt.exe," "photoshop 9 crack.exe" and "eminem_lick my &^%$#.mp3.pif". In general, Belthoff noted, the presence of double extensions, such as .jpg or .mp3 followed by a second extension, such as .exe or .pif, is a sign a file has been created by a worm and should not be opened. The worm also places copies of itself in shared folders, making it easy for others to open it inadvertently.
"There continues to be a need for the proper education of end users," Belthoff said. "Unless you are expecting a certain file from someone, don't click it open."
E-Mail Volume Compounds Problem
Even among technology-savvy users, however, mix-ups can occur. Forrester Research analyst Jan Sundgren told the E-Commerce Times that the other day, he almost opened a file whose first extension was .txt because he had been expecting a document.
"It is these chance coincidences that can really gets these viruses to critical mass," Sundgren said. "There is so much e-mail being exchanged, so many exchanges of documents at any given time, that this alignment, [combined with these worms'] ability to spoof e-mail addresses, can bring about real problems."
Users receiving Netsky.B files on Windows machines -- regardless of what mail client they use -- might not have the ability to check for double extensions. If users have their machines set to hide file extensions, Windows won't show the actual executable extension, which might lead users to believe they are simply opening a text file, Forrester Research analyst Jan Sundgren told the E-Commerce Times.
For the most part, Netsky.B is affecting consumers because at the corporate level, suspect files usually are quarantined at a gateway before they can reach client PCs, Sundgren said. He added that he has not received any complaints from his corporate clients about this worm.
All in the Family
In terms of overall trends, Belthoff noted that more and more viruses and worms are part of families. As one variant dies, another arrives to replace it.
Worm families are immediately recognizable because they have shared components at the code level, Belthoff explained, noting that subsequent generations of worms are not necessarily more destructive than their predecessors.
"It depends on the variants," he said. "Sometimes [these variants] have different objectives."
For example, Belthoff said, some Mimail variants were used as distributed DoS (denial of service) attacks against anti-spam Web sites, while others forwarded PayPal and eBay scams.
He said it is too soon to tell which direction descendants of Netsky.B will take.
Phishing Scams Jump 52 Percent in One Month February 19, 2004
"One of the things that helped phishing along greatly was the Microsoft vulnerability," Joe Telafici, director of operations for the antivirus emergency response team for Network Associates in Santa Clara, California, told TechNewsWorld.
Related Stories
Experts Warn of Worm from Windows ASN Vulnerability February 17, 2004
Ken Dunham, iDefense director of malicious code, told TechNewsWorld that the ASN vulnerability potentially could be the most widely exploited security hole of all time, saying the widespread distribution of exploit code, while not unexpected, marks another tell-tale indicator of pending trouble.
Is the Superworm a Mere Myth? February 16, 2004
This story was originally published on January 30, 2004, and is brought to you today as part of our Best of ECT News series.
Doomjuice.B Variant Builds on MyDoom Mayhem February 12, 2004
Doomjuice and Deadhat are the first reported opportunistic worms, but they will not be the last. Already, F-Secure has uncovered a variant of a Trojan, Mitglieder.H, that
exploits the MyDoom backdoor. In its report on Mitglieder.H, F-Secure noted, "It seems to be the morning of MyDoom-exploiting worms."
Microsoft Patches New Vulnerability, Worm Expected February 11, 2004
"The ASN vulnerability has the potential to be perhaps one of the most widely exploited vulnerabilities in the history of computing -- and I don't say that lightly," iDefense director of malicious code Ken Dunham told TechNewsWorld. "Why we're so concerned is because ASN is so integrated into everything. It's a widely used and relied-upon syntax notation in the Windows environment."
Doomjuice Worm Puts New Squeeze on IT February 10, 2004
Doomjuice spreads to computers infected with the MyDoom worm, entering through a previously established backdoor. To locate machines that have the backdoor, Doomjuice scans random IP addresses and attempts to connect to port 3127.
Related News Alerts
More by Staff Writer
A Midsummer's Mac Death Match, Round Two: Enderle vs. Chaffin July 13, 2004
MacNewsWorld presents round two of our three-round Midsummer Mac Death Match, in which Mac Observer editor-in-chief Bryan Chaffin and the always-controversial industry analyst Rob Enderle square off on one of today's key Mac issues. Today Enderle and Chaffin eachs kicks metaphorical mounds of sand on the arguments the other made in round one on the question of where Apple will be five years from now.
A Midsummer's Mac Death Match, Round One: Enderle vs. Chaffin July 12, 2004
MacNewsWorld presents round one of our three-round Midsummer Mac Death Match. Today, Mac Observer editor-in-chief Bryan Chaffin and the always-controversial industry analyst Rob Enderle each offer their predictions of what sort of company Apple will be in five years. Will Apple rule the "Digital Life" -- or be the Atari of 2009?
PeopleSoft Blames Oracle for Share Price Free Fall July 07, 2004
Forrester vice president and CRM analyst Erin Kinikin described PeopleSoft as being on a very narrow tightrope since Oracle first made its takeover offer. "To prove [it] can survive as an independent company, PeopleSoft has to make its numbers," Kinikin told CRM Buyer. "Any time PeopleSoft pre-announces lower earnings, people are going to wonder if [it is] falling off the tightrope."
Headline Feeds
Talkback: 
