New net worm wiggles out

19 Feb 2004

Warnings have begun to spread of a new mass-mailing worm known as Netsky-B, with several security vendors classing the threat as severe. Confusing the issue further, the worm also goes by the names or variants I-Worm.Moodown.B, W32/Netsky.B@mm and Moodown.B.

The worm spreads itself in e-mails inside a ZIP archive or as an executable attachment. It forwards itself to email addresses found on the hard drives of infected PCs and any available Windows network file shares. When doing so, it spoofs the ‘from’ field in a message to make it appear as if it comes from a colleague or friend, increasing the chances that a user might open the attachment carrying the worm.

Mails infected with the worm carry a range of possible subject lines and messages. When copying itself to shared folders, it chooses from a range of filenames including winxp_crack.exe, dolly_buster.jpg.pif, strippoker.exe, photoshop 9 crack.exe, matrix.scr or porno.scr.

According to the antivirus provider Sophos, users can avoid having their computers infected by blocking all files with double extensions.

The new worm was discovered yesterday and is being treated with caution. Although it has not yet been given the highest possible severity rating by many security sites, it has been listed in the next category, marking it out as prone to causing large infections.

By Gordon Smith