Netsky.x Wild On The Net

Netsky.x, which is similar to past Netsky variants, arrives as an e-mail message with a spoofed address, uses a English subject line that reads "Re: Document," and tucks its payload into a .pif file. Once it infects a system, it hijacks e-mail addresses found on the PC and spreads to others.

The worm is intelligent enough to craft its message to the language of several e-mail top-level domains. If the address' domain is "de," for example, the subject head changes to "Re: dokument" and the message text to "Bitte lesen Sie das Dokument."

Like other Netskys, version X also schedules a denial-of-service (DoS) attack on several Web sites, including nibis.de, medinfo.ufl.edu, and educa.ch starting on April 28 and running through April 30.

(The author of Netsky.x must have something against learning, for all three targets -- one each in Germany, Switzerland, and the U.S. -- are educational sites.)

The worm also opens a backdoor on TCP port 82, which the hacker can use to later plant other malicious code, such as key logger.

In keeping with the juvenile tradition of Netsky authors, this one took a shot at Bagle, a competing worm, by naming the text file copy of itself as "f***_you_bagle.txt." The copy is dropped into the Windows folder; its presence is a sure sign of infection.

Netsky.x was bumped from a level "2" threat to a "3" by Symantec early Tuesday in response to an increased number of submissions. Symantec uses a 1 through 5 scale to denote a virus' of worm's severity.

This story courtesy of TechWeb News