Netsky Worms Just Keep On Coming

On Friday, the latest variant of the pernicious Netsky worm, dubbed Netsky.w, was let loose on the Internet. Earlier this week, Netsky.v, a more dangerous variation, appeared.

April 16, 2004

2 Min Read
NetworkComputing logo in a gray background | NetworkComputing

On Friday, the latest variant of the pernicious Netsky worm, dubbed Netsky.w, was let loose on the Internet. Earlier this week, Netsky.v, a more dangerous variation, appeared.

Wednesday's Netsky.v takes a page out of Bagle's playbook by not loading its payload in a file attachment that users must open to become infected. Instead, it exploits a long-known vulnerability in Internet Explorer -- called the Object Data Remote Execution vulnerability -- that was first disclosed, and patched, back in October 2003.

Users of Outlook and Outlook Express who haven't applied the patch and who only read or preview the message can be infected by Netsky.v, warned numerous anti-virus firms.

The no-attachment tactic was last used by a March blitz of Bagle worms -- Bagle.q, Bagle.r, Bagle.s, and Bagle.t -- that one security analysts characterized as kicking the war of worms up a notch.

Netsky.v also shares characteristics with other recent variants, including opening a backdoor component that leaves the infected system at risk for additional attacks (in Netsky.v's case, TCP ports 5556 and 5557 are opened), and scheduling a denial-of-service (DoS) attack against peer-to-peer file-sharing Web sites such as kazaa.com, emule.de, and freemule.net. The DoS attacks are to start on April 22 and run through April 29.This variant also includes embedded text in its code, said anti-virus vendor Panda Software, a trait of many in the Netsky and Bagle families. "Now we are presenting our new AntiHacker Engine - SkyNet Team," the text reads.

The patch for the IE vulnerability to stymie Netsky.v's tactic is available here for versions 5.01, 5.5, 6.0, and 6.0 for Windows Server 2003 of the Microsoft Web browser.

Netsky.w, which was discovered Friday, is a more traditional Netsky worm, in that it includes a file attachment -- the attachment can sport .exe, .pif, .scr, or .zip extensions -- and deletes versions of the MyDoom, Mimail, and Bagle worms it finds on the compromised machine.

Both Netsky.v and Netsky.w are currently tagged as relatively low threats by anti-virus firms.

Read more about:

2004
SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights