PandaLabs has detected the appearance of the W32/Netsky.X worm. This is another new variant of Netsky, which so far in 2004 has caused numerous incidents to computers around the world. Its propagation is on the increase, although it has yet to reach alarming proportions.
Netsky.X is designed to spread, using its own SMTP engine, to as many computers as possible. It searches for e-mail addresses to send itself to in files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx, .asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx, .pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml, .mht, .mmf, .nch and ppt.
The X variant of Netsky is transmitted in a message with the following characteristics:
– The e-mail address of the sender is faked to confuse the recipient.
– The message carrying the virus can appear in various languages depending on the country indicated in the domain of the recipient’s e-mail address. So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese or Swedish respectively. If there is a generic domain, the message is in English. Curiously, if the domain is .tc (Turks and Caicos Islands), the message includes the text “mutlu etmek okumak belgili tanimlik belge”.
– It includes a file with a .pif extension which contains the worm’s code. The file size is 26,112 bytes and it is packed with “tElock”.
– Whatever the language, the text encourages the user to open the attachment.
Netsky.X is programmed to carry out a denial of service attack between April 28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.
To prevent incidents with Netsky.X, Panda Software advises users to treat e-mails received with caution and to update their antivirus software. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate this worm. Similarly, users can also detect and disinfect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is also available on the company’s website at http://www.pandasoftware.com.
More information on Netsky.X is available in Panda Software’s Virus Encyclopedia.