Within only forty minutes of Netsky.C's initial discovery, antivirus vendor Central Command reported over 1500 confirmed cases of infection, prompting Steven Sundermeier, Vice President of Products and Services at Central Command, to predict, "Due to the fast spreading nature of mass mailing worms, Netsky.C will once again plague email users worldwide."
Netsky.C attempts to deactivate any MyDoom.A, MyDoom.B, or Mimail.T infections found.
According to PandaLabs, Netsky.C has been designed to emit a specific sequence of sounds through the speakers of the affected computer between 06:00 a.m. and 08:59 a.m. on February 26.
As with previous Netsky variants, Netsky.C spoofs the sender's name on the email it composes. Doing so can result in erroneous alerts being sent to spoofed sender, causing confusion and adding to the overall worm traffic.
Netsky.C composes its email by randomly selecting from a large list of strings for the subject, body, and attachment name. At least half the time, Netsky.C will send itself as a ZIP attachment. The remainder will be sent as either a .COM, .EXE, .PIF, or .SCR attachment.
Netsky.C may employ a double extension ruse. In that case, the first false extension will be either .doc, .htm, .rtf, or .text. The second, actual extension will be either .COM, .EXE, .PIF, or .SCR. By default, Windows does not display executable file extensions, thus users who have not enabled file extension viewing will likely be fooled by this ruse as the attachment will appear to be .doc, .htm, .rtf, or .text. The File Extension Center provides steps on enabling file extension viewing.
Next: Action on infection
