A new version of the Netsky e-mail worm is set to launch a distributed denial of service attack on peer-to-peer networks, anti-virus software companies have warned. The worm contains a message blaming users for spreading viruses and says that Netsky's authors want to stop hacking and illegal file trading, security experts said.
Netsky.Q, which has spread rapidly since it first appeared on Monday, is the 17th variant of the worm to be released since Netsky first appeared in February, anti-virus companies said.
The Q variant arrives in e-mail file attachments with .pif (Program Information File) or .zip file extensions. Netsky also tries to exploit a well-known Microsoft security hole that allows file attachments to be launched automatically when the e-mail message is read, according to F-Secure of Helsinki.
Netsky.Q messages are disguised to look like returned e-mail error messages that might be generated by a company's e-mail servers, with subjects such as "Delivery Error," "Error" and "Server Error". When opened, the e-mail displays messages such as "Mail Delivery -- This mail couldn't be displayed" and claim to contain a version of the rejected message as a "binary attachment", enticing users to click on the virus file, F-Secure said.
Like earlier versions of Netsky, the new version installs itself on Windows machines when the file attachment is opened. It also combs the infected machine's hard drive and harvests e-mail addresses from a variety of file types.
Netsky.Q is programmed to mail copies of itself to addresses it finds on March 31, 2004, and April 5, 12, 19 and 26, 2004, said UK-based Sophos. Computers infected with the new worm variant are also programmed to launch a denial of service attack on a number of peer-to-peer and pirate-software Web sites including www.kazaa.com, www.edonkey2000.com and www.cracks.am on April 7, and April 12, 2004, F-Secure said.
A message buried in the worm's code, and transcribed by Sophos and other anti-virus companies, may explain the programmed attacks on peer-to-peer networks. In the message, the Netsky author or authors claim to represent a benevolent group called "SkyNet Antivirus Team" claiming to be based in Russia, and draw distinctions between their creation and other worms that open back doors on infected computers. Back doors can be used to relay spam message or facilitate future hacking. "We don't have any criminal inspirations [sic]," the message reads. "Due to many reports, we do not have any backdoors included for spam relaying."
Netsky's authors have been locked in a war of words with the creators of the Bagle virus family in recent weeks. The two groups have used new worm variants as vehicles for barbs and retorts to previous insults.
The Netsky authors also declare their opposition to "hacking, sharing with illegal stuff and similar illegal content", according to the message. As for the computer users harmed by their worm, the authors say that users need better education, not software updates offered by anti-virus companies.
Security companies have released new signatures designed to detect Netsky.Q and recommended that customers update their anti-virus software.