Netsky.q Most Dangerous Of Three New Worms

New variations of several prominent -- and persistent -- worm families hit the Internet Monday as the wave of malicious code copy-cats continues.

Brand-new versions of the Netsky, Bagle, and Sober worm lines made it into the wild, with the Netsky variant, dubbed Netsky.q, the most troublesome of the trio.

Most anti-virus firms ranked Netsky.q, the seventeenth in the long-running series of pernicious worms, as a "medium" threat as it took off. Symantec, for instance, raised its rating early Monday morning from a "2" in its 1 through 5 scale to a "3", while Network Associates bumped up Netsky.q from "low" to "medium."

Netsky.q's distinguishing characteristics are a combination of social engineering first used by another worm, MyDoom, and an exploit of a three-year old vulnerability in older editions of Internet Explorer, Microsoft's popular Web browser.

"Netsky.q poses as a problem with e-mail," noted Vincent Gullotto, the vice president in charge of Network Associates' AVERT anti-virus research team. Using the same tactic as MyDoom, Netsky.q pretends to be a message alerting users of e-mail errors, with subject heads that range from "Mail Delivery failure" to "Server Error."Although Netsky.q includes a file attachment that infects the target machine when opened, it doesn't necessarily need users to take that step to compromise a system. On machines unpatched against 2001's "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability in IE 5.01 (without SP2) and 5.5, Netsky.q will automatically execute its payload if the recipient simply views or opens the HTML e-mail.

"This is a very old exploit, but the tactic is just a natural migration of worm tricks," said Gullotto. "With so many of these 'family' threats out on the Internet, people are getting leery of double-clicking on an attachment. This is a way for worm writers to get their payload by the user."

Most of the early reports of Netsky.q came from Japan, Gullotto said, which is unusual. He theorized that the worm writer may have initially infected several systems in Japan which had been previously compromised by other malicious code to open back doors through which the worm could be planted.

Machines infected with Netsky.q will start beeping as of 5:11 a.m. local time on Tuesday, March 30 -- making it relatively easy for users to know if their system has been compromised -- and on April 8-11 will conduct a denial-of-service (DoS) attack against five sites, including popular peer-to-peer software sites such as kazaa.com, emule-project.net, and edonkey2000.com.

The other new variations discovered Monday included a new Sober worm, Sober.e, and yet another Bagle, labeled as Bagle.v. Neither of those worms pose much of a threat, said Gullotto, and are very similar to other variations.One bright spot in the most recent worm waves, said Gullotto, is that although new variations "seem to get a quick jump out, they just as quickly die out." He suspects that hackers are seeding their creations using spam-style techniques, but the worms quickly fade into obscurity because of increases vigilance on the part of users and the fast reaction time of anti-virus firms.

But that's not to say that all's well in security land.

"These variations may be more of the same, but they're not going to slow down any time soon," he said. "What worries me more is that inevitably a new family or families of worms will appear that are completely different [from Netsky, Bagle, Sober, and MyDoom]. That's what will take people by surprise."