Thursday, April 29, 2004

More on the continuing wave of Netsky virus variations:

PandaLabs has detected the appearance of the W32/Netsky.X worm. This is
another new variant of Netsky, which so far in 2004 has caused numerous
incidents to computers around the world. Its propagation is on the increase,
although it has yet to reach alarming proportions.

Netsky.X is designed to spread, using its own SMTP engine, to as many
computers as possible. It searches for e-mail addresses to send itself to in
files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx,
.asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx,
.pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml,
.mht, .mmf, .nch and ppt.

The X variant of Netsky is transmitted in a message with the following
characteristics:

- The e-mail address of the sender is faked to confuse the recipient.

- The message carrying the virus can appear in various languages depending
on the country indicated in the domain of the recipient's e-mail address.
So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message
will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese
or Swedish respectively. If there is a generic domain, the message is in
English. Curiously, if the domain is .tc (Turks and Caicos Islands), the
message includes the text "mutlu etmek okumak belgili tanimlik belge".

- It includes a file with a .pif extension which contains the worm's code.
The file size is 26,112 bytes and it is packed with "tElock".

- Whatever the language, the text encourages the user to open the
attachment.

Netsky.X is programmed to carry out a denial of service attack between April
28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.

To prevent incidents with Netsky.X, Panda Software advises users to treat
e-mails received with caution and to update their antivirus software. The
company has already made the updates to its products available to users to
ensure their solutions can detect and eliminate this worm. Similarly, users
can also detect and disinfect this and other malicious code using the free,
online antivirus, Panda ActiveScan, which is also available on the company's
website at http://www.pandasoftware.com.

Stay safe...