New Netsky worms change their stripes
New versions of the Netsky e-mail worm are spreading on the Internet and may be the work of a different author than previous editions of that worm, according to antivirus software companies.
Netsky.S appeared on Monday and Netsky.T was detected Tuesday. They are the 19th and 20th editions of an e-mail virus that first appeared in February. Unlike earlier variants, the new Netsky strains open "back doors" on machines they infect, prompting at least one antivirus expert to declare the worm the work of a different virus author.
Network Associates Inc.'s McAfee Antivirus Emergency Response Team (AVERT) rated Netsky.S a "medium" threat. The company has received around 300 samples from customers and from virus-infected machines, said Craig Schmugar, virus research manager for McAfee AVERT.
The company has received only a few copies of the Netsky.T virus, he said. Sophos PLC said it received just one copy of the Netsky.T worm, according to an advisory.
Like its predecessors, the new Netsky variants target machines running versions of Microsoft Corp.'s Windows operating system. The viruses arrive as files enclosed in e-mail messages that have faked (or "spoofed") sender addresses and vague subjects such as "Re: My details," "Request" and "Thank You!" according to antivirus company Symantec Corp.
Earlier versions of the Netsky variant abstained from opening communications ports that could be used as so-called "back doors" that remote attackers could use to access the compromised system. They removed copies of the Bagle e-mail worm from infected machines.
Some antivirus experts believe that Netsky's attack on Bagle installations is behind a war of words between the Netsky author or authors and the creators of the Bagle virus family in recent weeks. The two groups have used new worm variants as vehicles for barbs and retorts to previous insults.
In those exchanges, Netsky's author or authors positioned themselves as the "good guys" locked in a battle with online criminals and spammers. One recent variant, Netsky.Q, even contained an impassioned defense of the Netsky worms.
"We don't have any criminal inspirations (sic). Due to many reports, we do not have any backdoors included for spam relaying," read text hidden in Netsky.Q and transcribed by Sophos and other antivirus companies.
However, the latest Netsky variants abandon the high ground, opening a backdoor on TCP (Transmission Control Protocol) port 6789, which could be used to receive instructions or malicious code from the worm author. A message in the new worm tries to make distinctions between opening a back door and installing a remote access Trojan, but does not contain any overt criticisms of the Bagle author, said Schmugar.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
