New NetSky worm gets lost in translation


21 Apr 2004

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

The latest variant of the NetSky worm has been speaking in tongues… badly. Researchers have discovered emails bearing the worm written in up to 10 different languages.

Discovered yesterday, it appears to be another effort at social engineering on the part of the worm writer, on the basis that users may be more likely to click on the attachment of a message written in their own language.

Netsky.X sends messages in as many as 10 different languages: English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German and possibly the language of some small island called Turks and Caicos, located in the Atlantic ocean.

The worm’s author is no polyglot however. F-Secure’s researchers said that in many cases the messages are poorly composed, suggesting that the worm’s author did not ask native speakers for translation or used an online translation service which doesn’t always give grammatically accurate results.

According to Finnish security provider F-Secure, in most other respects .X differs little from previous versions of NetSky. As much as 86pc of the code was found to be the same as NetSky.U and the two share other features in common.

The worm composes two different types of messages. According to whether the destination address is one of the following domains -.tc, .se, .fi, .pl, .no, .pt, .it, .fr, .de or .xx – the subject line and body text appear in the corresponding language.

The worm will be used to launch a denial of service attack against three websites, although there is some dispute between antivirus vendors as to exactly when this will happen. Sophos said the attack would be between 27 and 31 April, whereas F-Secure said it would take place from 28 – 30 April. The worm is set to continuously request pages from the following sites: www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.

NetSky.X uses bad language in more ways than one: Sophos also spotted that its file name in encoded form contains an insult against Bagle, which appears to be a reference to the worm of the same name that appeared earlier this year. Previous versions of both worms were found to contain text which showed the rivalry between both authors, as insults and four-letter words flew.

By Gordon Smith