The traction gained by the Netsky-C worm is yet another reason for companies to consider blocking .zip files at the gateway, or at least scan them for executable code.
Netsky-C came on strong Wednesday. Antivirus vendor Trend Micro Inc. raised it to a high alert. McAfee Security has it at listed as a medium risk. Symantec Corp. has it at a "moderate" threat.
"We are seeing increasing numbers of Netsky-C, starting this afternoon," said Bruce Hughes, director of malicious code research at Herndon, Va.-based TruSecure Corp. "This is yet another example that new, unknown, undetected worms are finding success in using .zip file extensions, and this file extension can no longer be known as a safe, acceptable file to allow through e-mail gateways."
Netsky-C is just the latest in a series of recent worms, including Mydoom-A and Mydoom-F, that have traveled as .zip files to sneak past antivirus scanners. Businesses often have to send .zip files, so they let them through. In fact, not long ago, people were advised to zip, or compress, screensaver and .exe files before e-mailing them to companies that strip files with such extensions.
"What you really need is a scanner that can look inside the .zip file, something to say, 'Hold on here; this is really an executable file," said Roger Thompson, vice president of product development at PestPatrol Inc., a Carlisle, Pa.-based developer of security tools.
Netsky-C has a number of characteristics in common with its brethren, though its ability to spread is better. For example, the new variant searches more file types for e-mail addresses to harvest, shoots itself out to those addresses, and spoofs the From line to obscure its origin.
The worm tries to avoid tipping off the antivirus companies by not sending copies of itself to addresses containing a series of words, such as "f-secur," "aspersky," and "antiv."
Netsky-C also tries to remove Mydoom-A and -B worms from infected systems, said Craig Schmugar, virus research manager at McAfee AVERT. "We have seen this before, with the Nachi worm. An author, for some reason or another, creates a virus that targets another one," he said.
There are some indications that Netsky-C was created to be a disinfecting worm. In fact, the author wants it to be called SkyNet. (Antivirus companies generally don't use the name that the author intended, because they don't like to give worm writers credit.)
The worm has been able to spread because of the simplicity of its subject lines and message text, said Keith Peer, CEO of Medina, Ohio-based Central Command Inc. Users are more likely to open an attachment if the message says something simple, such as "important?" or "read the details." Netsky-C's subject lines generally follow a similar theme, using text such as "re:" and "hello."
"It's enticing them with sheer simplicity," Peer said.
Blocking the worm using content filtering isn't workable, because the worm uses so many common subject lines. "More complex social engineering usually involves static messages, which can be blocked easily," Peer said. "It's not the case here."
Netsky-C also can spread through network drives with folders containing the text "shar." If such folders are found, the worm copies itself to them, using a host of file names, including "Microsoft Office 2003 Crack.exe," "Win Longhorn Beta.exe" and "Screensaver.scr."
Unlike Netsky-B, the new variant does not display a bogus error message when it infects a system. It also tries to stop the Mydoom worm by deleting its startup keys in the registry.
To keep free of Netsky-C infection, users should use safe computing techniques and avoid opening e-mail attachments, unless sure of their contents. Updating antivirus signature files is also advisable.