March 29, 2004 2:45 PM PST

Netsky variant a greater threat than thought

Security company Symantec raised its severity rating of the latest incarnation of the Netsky worm.

Netsky.Q was upgraded from a level 2 to level 3 threat on the security firm's five-point rating system. The company said it has received 379 reports of the worm since its discovery Sunday.

"We see quite a few variations of any major threat," said Sharon Rockman, senior director of Symantec Security Response. "But what is unusual about this time is we are having so many level 3 upgrades with Netsky, MyDoom and Bagle...Usually, there is one (worm) that is very popular and one to three variants."


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


Two previous Netsky variants received an upgrade to level 3 for their wide distribution.

Netsky is a mass-mailing worm that uses a bogus sender address and continually changes its subject line and content. An e-mail attachment usually carries an .exe, .pif, .scr or .zip file extension. The worm distributes itself to e-mail addresses in a victim's hard drive and copies itself into shared folders via file-sharing programs.

Unlike its predecessors, Netsky.Q is scheduled to trigger a beeping alarm at 5:11 a.m. Tuesday. This will occur only in infected computers that are operating at the time the alarm is set. Netsky.Q is also expected to release a denial-of-service attack between April 8 and April 11 on several Web sites, including those of eDonkey2000, Kazaa, eMule, Cracks.am and Cracks.st, according to Symantec.

The latest Netsky variant marks the second consecutive time the worm has been upgraded to a level 3 threat since the original author announced plans in early March to discontinue releasing variants. That announcement, part of Netsky.K, also noted that the worm's source code would be published, making it available for others to use.

Following the Netsky.K announcement, four other versions of Netsky were released, but those never exceeded a level 2 threat. Antivirus experts speculated that they were written by other authors who may not have had the same widespread distribution system as the original author had.

Security experts say it's difficult to ascertain whether the original author has stepped back into the game or new virus writers have become more proficient in developing a distribution system for their work.

"Once you release the source code, it's hard to tell if it's from a new author or the original writer," Rockman said.

1 comment

Join the conversation!
Add your comment
War between malicious code.
Looking at the targets of NetSky, it appears that there is a war between malicious code out on the Internet. NetSky is attacking sources of it's competitors. MyDoom was unarmed by I believe Bagel. Is there any other signs of war.
Posted by bjbrock (98 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.