The Netsky-B worm took off quickly but has crashed back down to earth.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The worm came on strongly in Europe on Wednesday morning, but it never gained a lot of traction. Its progress certainly pales compared with Mydoom-A, which is the most infectious worm so far this year.
"It looks like it peaked yesterday," said Bruce Hughes, director of malicious code research at ICSA Labs, of Netsky-B. "It's nothing special, just a typical mass mailer."
Netsky-B travels as an attachment to e-mail messages. It can also copy itself via network shares. The worm employs a variety of subject lines and message bodies. "It's has a little better social engineering than other worms," said Chris Belthoff, senior security analyst at Lynnfield, Mass.-based Sophos Inc. "But it's nothing terribly sophisticated."
Subjects include "hello," "read it immediately" and "something." The body of the message says "anything ok," "is that true?" or "here is the document."
The attached worm usually came through as an executable file with a double extension such as ".rtf.pif," which should have been suspicious to users.
Given the traction Netsky-B gained, however minor, one can safely say that at least a few people opened and executed the worm. It could spread further by copying itself to shared drives. The worm searches drives C through Z for folder names containing the words "Share" and "Sharing." The worm then copies itself to those folders using a variety of enticing names, such as "programming basics.doc.exe," "cool screensaver.scr" and "winxp_crack.exe."
Netsky-B may have gotten into companies that have abandoned the practice of blocking executable files at the gateway.
"We have a name for companies who think they have a business reason for allowing self-extracting executable files in," said Roger Thompson, vice president of product development at PestPatrol Inc., a Carlisle, Pa.-based developer of security tools. "We call them 'victims.'"
There are ways to safely send executable files that do not put companies at risk of getting worms, Thompson said. Double zipping the files is one such method.