Netsky-D Worm Spreading Through E-Mail

The new virus, which emerged early Monday in Europe, was not thought to be as big as MyDoom, but security experts said it still presented a threat to slow down general Internet traffic.

"Volume of activity with Netsky-D is certainly less than what it was with MyDoom, but it's definitely something people should look out for," said Chris Belthoff, senior security analyst with Sophos, a security firm in Lynnfield, Mass. "Every virus presents potential danger."

According to Belthoff, the virus arrives with an attached .pif (program information file). When opened, the file rapidly replicates itself, sending copies to addresses in the victim's Microsoft Outlook address book.

Unlike other viruses, Netsky-D actually avoids sending itself to e-mail addresses that contain suffixes of antivirus companies or Microsoft itself. Belthoff described this behavior as an attempt by the virus writer to get the virus propagated as widely as possible without detection.

He added that the strategy has become popular only in the last month.

Aside from this stealth propagation technique, Netsky-D is particularly difficult to root out because it lands in e-mail boxes using a number of different subject lines such as "Re: details" or "Re: here is the document."

Belthoff said the best way to escape infection from the virus is to avoid opening it and to delete it.

Netsky-B, an earlier variant of the latest worm that uses its own SMTP to send itself across the Web, was rated the third-worst computer virus in February after MyDoom-A and Sober-C, according to Sophos.

Symantec, Cupertino, Calif., also noted that this earlier version of the Netsky worm searches drives C through Z for folder names containing "Share" or "Sharing" then copies itself to those folders for further distribution.

For more, see Symantec's Web site.