Netsky-R latest in barrage of warring worms, Sophos comments

Sophos Press Release
Netsky. Image copyright (c) Sophos.
The Netsky worms are named after the Skynet corporation from the movie The Terminator.

Sophos virus researchers are warning of a new strain of the Netsky worm, W32/Netsky-R, which launches denial-of-service attacks on peer-to-peer file sharing sites, including Kazaa, as well as various sites offering software security cracks.

The mass-mailing worm spreads via email to addresses harvested from files found on local drives of infected PCs. It arrives with the subject line 'Re:Document<random number>' and includes the message text: 'Excuse me, the important document is attached, Yours sincerely'. When the attached file 'Document <random number>' is launched, Netsky-R attempts to launch a denial-of-service attack against several websites and attempts to delete a number of registry entries, including some related to the Bagle family of worms.

Netsky-R is the latest variant to enter the war against the Bagle worm - including an encrypted message attacking Bagle's author and threatening further versions of the Netsky worm:

'Yes, true, you have understand it. Bagle is a shitty guy, he opens a backdoor and he makes a lot of money. Netsky not, Netsky is Skynet, a good software, Good guys behind it. Believe me, or not. We will release thousands of our Skynet versions, as long as bagle is there...'

"The Netsky worms have been plaguing computer users for a couple of months now, and people are starting to get pretty sick of the petty squabbles between the Netsky authors and their virus writing rivals," said Carole Theriault, security consultant, Sophos. "As well as attacking websites and mass-mailing to harvested email addresses, this latest version seems to have singled out someone called 'Jena' for a personal attack, ensuring that the worm is always sent to her Yahoo email address. Given the amount of email generated to the web email account, it must have been rendered useless by now, unless of course it is being used to track how far the worm is spreading by the number of mails generated."

Sophos recommends that businesses ensure their anti-virus protection is up-to-date and filter attachments which may contain malicious code at the email gateway.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at