The Netsky family of worms has played something of a lone wolf, stalking Bagle and MyDoom worm variants and attempting to disable them. Now, however, a new variant of Netsky omits the formerly 'friendly' aspects and simply behaves like every other worm. That is to say, its sole purpose appears to be to spread and any 'noble' intentions of removing other worms has been left behind. The question is, can Netsky.L really be from the same author or has someone else taken over the reins?
Graham Cluley, senior technology consultant for Sophos, thinks the worm's author has changed. "Unlike earlier variants, Netsky-L contains no mention of 'Skynet', does not try and disinfect the Bagle worm, and contains no hidden text slagging off Bagle's author," asserts Graham. "These and other differences in the code lead us to suspect that it may have been written by a different person."
Indeed, a previous variant, Netsky.J (discovered on March 8, 2004), promised not only that it would be the last Netsky variant, but that the source code for the worm would be made publicly available. Another variant discovered that same day was subsequently dubbed Netsky.K but is thought to have actually preceded the Netsky.J worm.
Netsky.L copies itself to the Windows directory as AVprotect.exe and modifies the system registry as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"HtProtect"="%Windir%\AVprotect.exe"
This effectively enables the worm to load when Windows is started.
Netsky.L harvests email addresses from a wide range of file types found on the system. It then used its own SMTP engine to send itself to the addresses it has collected, using one of the harvested addresses as the 'From' address.
The attachment used by the worm will be a .PIF attachment. Netsky.L 'personalizes' the attachment name, using a portion of the email's 'To' address in the filename. The attachment will be named one of the following:
- your_file_<username>.pif
details_<username>.pif
document_<username>.pif
<username>.pif
(where <username> signifies the portion of the To address preceding the @ sign).
The subject line of the Netsky.L email will be one of the following:
- Re: Important
Re: Your document
Re: Your details
Re: Approved
The message body will read one of the following:
- Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.
Unlike previous Netsky variants, there is no stop spread date coded into the worm.
Also see:
