Netsky-R latest in barrage of warring worms, Sophos comments

March 31, 2004 Sophos Press Release

Netsky. Image copyright (c) Sophos.
The Netsky worms are named after the Skynet corporation from the movie The Terminator.

Sophos virus researchers are warning of a new strain of the Netsky worm, W32/Netsky-R, which launches denial-of-service attacks on peer-to-peer file sharing sites, including Kazaa, as well as various sites offering software security cracks.

The mass-mailing worm spreads via email to addresses harvested from files found on local drives of infected PCs. It arrives with the subject line 'Re:Document<random number>' and includes the message text: 'Excuse me, the important document is attached, Yours sincerely'. When the attached file 'Document <random number>' is launched, Netsky-R attempts to launch a denial-of-service attack against several websites and attempts to delete a number of registry entries, including some related to the Bagle family of worms.

Netsky-R is the latest variant to enter the war against the Bagle worm - including an encrypted message attacking Bagle's author and threatening further versions of the Netsky worm:

'Yes, true, you have understand it. Bagle is a shitty guy, he opens a backdoor and he makes a lot of money. Netsky not, Netsky is Skynet, a good software, Good guys behind it. Believe me, or not. We will release thousands of our Skynet versions, as long as bagle is there...'

"The Netsky worms have been plaguing computer users for a couple of months now, and people are starting to get pretty sick of the petty squabbles between the Netsky authors and their virus writing rivals," said Carole Theriault, security consultant, Sophos. "As well as attacking websites and mass-mailing to harvested email addresses, this latest version seems to have singled out someone called 'Jena' for a personal attack, ensuring that the worm is always sent to her Yahoo email address. Given the amount of email generated to the web email account, it must have been rendered useless by now, unless of course it is being used to track how far the worm is spreading by the number of mails generated."

Sophos recommends that businesses ensure their anti-virus protection is up-to-date and filter attachments which may contain malicious code at the email gateway.