Netsky.B Worm Extends String of Malware Attacks

A new worm known as Netsky.B emerged Wednesday. It is the second worm in the Netsky family; an earlier version, Netsky.A, was first identified Tuesday. According to Trend Micro’s Web site, Netsky.B has an overall risk rating of medium, despite having a high potential for distribution and damage.

However, Chris Belthoff, senior security analyst at antivirus company Sophos, told the E-Commerce Times that Sophos does not rank worms and viruses because doing so goes against the firm’s philosophy.

“It is confusing to try to decipher and understand why a virus is given a certain ranking,” Belthoff said. “A virus is a virus. Once it is detected, we have a duty to protect our customers. We are not going to just rank them and have our customers wait for the next weekly update.”

The Setup

Netsky.B, which has been reported primarily in Western Europe and Japan, spreads mainly by e-mail, though it also propagates through file-sharing networks like Kazaa. Like many recent worms, it cloaks itself in attractive subject lines and body text, offering files that appear to offer the intended victim something useful. In fact, the files attached to the malicious e-mail have double extensions — the first seemingly innocuous, the second an executable one — and use Microsoft Word icons to disguise themselves.

“There’s always a certain amount of psychology built into [these worms],” Belthoff said. “These files look normal to the average user who is not security-aware.”

E-mail attachments associated with the worm include “serial.txt.exe,” “photoshop 9 crack.exe” and “eminem_lick my &^%$#.mp3.pif”. In general, Belthoff noted, the presence of double extensions, such as .jpg or .mp3 followed by a second extension, such as .exe or .pif, is a sign a file has been created by a worm and should not be opened. The worm also places copies of itself in shared folders, making it easy for others to open it inadvertently.

“There continues to be a need for the proper education of end users,” Belthoff said. “Unless you are expecting a certain file from someone, don’t click it open.”

E-Mail Volume Compounds Problem

Even among technology-savvy users, however, mix-ups can occur. Forrester Research analyst Jan Sundgren told the E-Commerce Times that the other day, he almost opened a file whose first extension was .txt because he had been expecting a document.

“It is these chance coincidences that can really gets these viruses to critical mass,” Sundgren said. “There is so much e-mail being exchanged, so many exchanges of documents at any given time, that this alignment, [combined with these worms’] ability to spoof e-mail addresses, can bring about real problems.”

Users receiving Netsky.B files on Windows machines — regardless of what mail client they use — might not have the ability to check for double extensions. If users have their machines set to hide file extensions, Windows won’t show the actual executable extension, which might lead users to believe they are simply opening a text file, Forrester Research analyst Jan Sundgren told the E-Commerce Times.

For the most part, Netsky.B is affecting consumers because at the corporate level, suspect files usually are quarantined at a gateway before they can reach client PCs, Sundgren said. He added that he has not received any complaints from his corporate clients about this worm.

All in the Family

In terms of overall trends, Belthoff noted that more and more viruses and worms are part of families. As one variant dies, another arrives to replace it.

Worm families are immediately recognizable because they have shared components at the code level, Belthoff explained, noting that subsequent generations of worms are not necessarily more destructive than their predecessors.

“It depends on the variants,” he said. “Sometimes [these variants] have different objectives.”

For example, Belthoff said, some Mimail variants were used as distributed DoS (denial of service) attacks against anti-spam Web sites, while others forwarded PayPal and eBay scams.

He said it is too soon to tell which direction descendants of Netsky.B will take.