Antivirus experts recommend that Microsoft Windows users immediately apply security patches to protect their systems from the latest worm threat. Unlike its many predecessors, Netsky-V spreads without using e-mail attachments to infect users. Details on which flaws the worm exploits haven't been released.
"Virus writers know that large corporations are now blocking many different types of files at the gateway," said Bruce Hughes, director of malicious code research at Carlisle, Pa.-based ICSA Labs. "They need to come up with new ways to get the malware onto corporate desktops. They can do this by sending an embedded hyperlink within a message that can quickly be changed. Add the fact that it uses an exploit that downloads the malware and autoexecutes it, and we have a very dangerous situation."
According to Lynnfield, Mass.-based Sophos Inc., "These loopholes enable Netsky to infect users who perform no other action besides just reading the e-mail. E-mails containing the exploit attempt to download a copy of the worm from another user's computer."
Netsky-V sends e-mails containing an exploit that attempts to download and execute a remote file, Sophos said. It copies itself to the Windows folder as KasperskyAVEng.exe and adds a registry entry so that it starts on user logon. Panda Software Inc., of Glendale, Calif., said that Netsky-V installs a backdoor that listens to TCP ports 5556 and 5557, and is designed to launch denial-of-service attacks against Kazaa and other Web sites between April 22 and 28.
Sophos, a provider of antivirus and antispam products, recommends that IT managers monitor announcements from operating system, application and Web server software vendors for details of new vulnerabilities found in their code because malicious code often exploits vulnerabilities to increase its chances of spreading effectively.
"IT managers should keep abreast of these loopholes and apply patches where appropriate before new viruses come along to exploit them," said Graham Cluley, senior technology consultant at Sophos.