Posted on 03/01/2004 8:07:03 PM PST by Libloather
New Netsky-D Worm Spreading Through E-Mail
Mon Mar 1,10:28 AM ET
LONDON (Reuters) - A new computer worm dubbed "Netsky-D" was clogging e-mail systems around the world after emerging on Monday, a security expert said.
The worm is particularly difficult to root out because it lands in e-mail boxes using a number of different subject lines such as "re:details" or "re:here is the document."
"It arrives with an attached pif file (program information file) and it's already extremely widespread," said Graham Cluley, senior technology consultant at Sophos Plc.
He said experts do not think the new virus is as big as MyDoom, which brought havoc to computer users and targeted Microsoft's Web Site, but that the full extent of Netsky-D's spread would be known as North America logs on.
When opened, the virus pif file will rapidly replicate itself, slowing down computers and e-mail bandwidth.
"We suspect people are more laid back about pif files because they may not have heard of them and may not realize they can contain dangerous code," Cluley said. "The best thing to do with this file is to delete it, don't open it."
Netsky-B, an earlier variant of the latest worm, was rated the third worst computer virus in February after MyDoom-A and Sober-C, according to Sophos, which writes anti-virus and anti-spam software.
Stupidity on a par with the people that don't have the brains not to open an email with a .pif attached from an unfamiliar address?
Indeed, it would seem that while there may sometimes be reasons to send executables via email (though IMHO, it's a bad idea--they should at minimum be ZIPped first), I see no real need to RUN executables from within an email, without saving them to disk first. So forcing a manual "Save As..." would allow people to do what they need without having their system get taken over.
(1) It's possible for a .PIF or other executable file to masquerade as something else. Indeed, unless Microsoft has fixed it, it's possible to have a file's MIME type set as executable even when the file name doesn't contain an executable extension (oh joy oh rapture). Opening a .PIF is obviously crazy, but what about opening a .JPG (which is in reality a .PIF in disguise)?
(2) Most of these worms come "From:" the infected machine. So many of the people receiving them will think they came from someone who might legitimately send them attachments.
We received about 15 copies today, all originating from a University. In each case, the subject line was different, and the attachment was a zip file. The reply-to was a known email account of one of our business partners (obviously forged). We sent all 15 copies back to abuse@ the university to try and stop it.
The moral is that you can get email from a known name, and it can still be forged and contain a virus.
I guess people need to be aware of it considering how many people are vulnerable.
Fortunately for me, I've already loaded the Ultimate Service Pack
I'm not confident about familiar address either. There are viri which will take the addresses in your address book, and send messages to them, ostensibly from you.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.