Sophos warns users not to fall for Netsky confidence trick, as
Netsky author claims he is the creator of the Sasser worm
Virus researchers at Sophos have warned users that a new
in-the-wild worm, W32/Netsky-AC, is posing
as a cure for the fast-spreading Sasser worm.
Attached to emails generated by Netsky-AC is a file claiming to
come from an anti-virus company, and to be a fix for the Sasser
worm.
With the Sasser worm spreading quickly around the world,
infecting internet users and generating headlines in the media,
Sophos is concerned that some users may fall for Netsky-AC's trick
and launch its damaging payload.
"This latest Netsky worm arrives via email, pretending to be a
warning from an anti-virus company that you are infected by the
Sasser, Netsky, Bagle, Blaster or MyDoom worms. The Netsky author
is preying on user's fear of computer attack," said Graham Cluley,
senior technology consultant for Sophos. "The very worst thing you
can do is fall for this trick by clicking on the attached
file."
If run, the worm can forward itself to addresses found on the
victim's computer, spreading the virus even further.
A typical email sent by the W32/Netsky-AC worm contains the
following message:
We have received several abuses:- Hundreds of infected e-Mails have been sent
from your mail account by the new worm Sasser.B
- Spam email has been relayed by the backdoor
that the virus has created
The malicious file uses your mail account to
distribute
itself. The backdoor that the worm opens allows remote
attackers
to gain the control of your computer. This new worm
is spreading rapidly around the world now
and it is a serios new threat that hits users.
Due to this, we are providing you to remove the
infection on your computer and to
stop the spreading of the malware with a
special desinfection tool attached to this mail.
If you have problems with the virus removal file,
please contact our support team at
support@<anti-virus company's name>
As well as claiming to be a warning about "Sasser.B", the worm
can also refer to the viruses "NetSky.AB", "Bagle.AB", "Mydoom.F",
and "MSBlast.B". More details on the different emails that
Netsky-AC can send can be found in Sophos's W32/Netsky-AC virus
analysis.
Did Netsky author also write Sasser?
Sophos researchers have also discovered that hidden inside the
code of Netsky-AC is the following text, directed towards
anti-virus companies:
Hey, av firms, do you know that we have
programmed the sasser virus?!?. Yeah thats true! Why do you have
named it sasser? A Tip: Compare the FTP-Server code with the one
from Skynet.V!!! LooL! We are the Skynet...
"The series of Netsky worms - like Sasser - have been
tremendously successful at spreading, but it's hard to be 100%
certain at this stage if the same people are behind both viruses,"
continued Cluley. "Everybody should practise safe computing to
ensure their computers are properly defended from viruses and
worms."
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.