The worm war between Bagle, Netsky and Sober authors opened another round this week, with variants of all three hitting the Internet. One in particular poses problems for administrators because of its slick social engineering. And another just surfaced that could be equally troubling.
Netsky-Q first surfaced on Sunday and in the last two days was upgraded by Symantec from a 2 to 3 on a scale of 5. Rival Network Associates raised its threat level from low to medium. Most other AV vendors have made similar adjustments as enterprise customers report infections on unprotected machines.
The 17th version of the Netsky worm exploits a 3-year-old flaw in Internet Explorer 5.01 and 5.5 to automatically execute without the need to click an e-mailed attachment. Users need only open the HTML e-mail, according to Network Associates' AVERT research center. Others with patched or more recent versions of the Windows Web browser must click on the attachment with a .pif or .zip file extension.
Meantime, Netsky-R popped up on the radar this morning, marked by message text that reads, "Excuse me, the important document is attached, Yours sincerely."
Like Mydoom, Netsky-Q arrives in an e-mail masquerading as an error message. Once executed, both variants compromised machines to launch DDoS attacks against P2P file share networks like Kazaa.com and eDonkey2000.com between April 7 and 12, according to various reports. Netsky-R also wipes out registries and tries to eliminate traces of the Bagle worm.
In an odd twist, Netsky-Q's authors embedded a message in the code that chastises their victims for falling prey to such schemes. Calling themselves SkyNet Antivirus Team, based in Russia, they claim their ultimate goal is to stop crackers and illegal file sharing.
"We don't have any criminal inspirations," according to a transcription by Sophos of an encrypted message embedded in the worm.
Similarly, Netsky-R claims to be written by the same group and chides Bagle's creators. "Netsky is Skynet, a good software, Good guys behind it. Believe me, or not. We will release thousands of our Skynet versions, as long as Bagle is there...," the authors wrote, according to Sophos.
Enterprises should follow best practices and update their AV software to counter the latest variants of all three worms, which continue to proliferate almost daily.