New Netsky Variant -- No Attachment Needed

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Users don't even need to open an attachment to be infected with the latest variant of thevirulent Netsky virus.

Netsky-V, unlike its widespread siblings, spreads without using email attachments. Thatmeans users can get hit with the virus just by opening a tainted email.

''This makes me a little bit nervous because of the way it automatically infectsmachines,'' says Patrick Hinojosa, CTO at Panda Software U.S., an anti-virus and intrusionprevention company with U.S. headquarters in Glendale, Calif. ''It doesn't require foolishend users to spread. And anything that doesn't require user participation to work is badnews.''

Analysts note that a flood of worms and viruses have been plaguing corporate networks overthe last few months. And those infections have occurred because users, despite beingeducated about the dangers of attachments, were either negligent enough to click on anattachment or they were conned into it. That leaves analysts worrying how bad a virusinfection could get if a user doesn't have to screw up to make it work.

''This is a problem,'' says Hinojosa. ''Smart user, not a smart user -- it doesn't reallymatter. What matters here is if you have patched software. These are the viruses that canspread pretty fast... How successfully it spreads just depends on how well it was written.

''I'm just hoping this one wasn't written very well,'' adds Hinojosa.

So far, it's unclear how quickly this worm is spreading. Since it was just released intothe wild, the numbers on it aren't really in it.

This new V variant has malicious XML code hidden in the message body of the email. When auser opens the email to read it, the code automatically seeks out a known object validationvulnerability in Microsoft Corp.'s Outlook and Internet Explorer software. Thevulnerability allows the malicious code to be trusted, installed and executed on the localsystem.

Once the computer is infected, the malicious code will install a backdoor that listens toTCP ports 5556 and 5557. Netsky-V is designed to launch denial-of-service attacks onseveral Web sites between April 22 and April 28. The sites to be attacked includekazaa.com; emule.de; cracks.am; freemule.net, and keygen.us.

Ken Dunham, director of malicious code at iDefense, a security intelligence firm based inReston, Va., says Microsoft released information about the vulnerability, along with apatch to correct it, early last October. If a system has been patched, Netsky-V will not beable to infect the computer.

But Hinojosa says there are millions of computers that have not been updated, so arevulnerable to the attack.

''There are millions of unpatched computers on the corporate side,'' says Hinojosa. ''MostU.S. workers work for companies with fewer than 25 employees. They don't have a systemadministrator. And that's not counting all the home users -- the millions of home users --who haven't patched their systems in the last several months. How fast this spreads dependsonly on how well it was written.''