Three education portals remain the focus of the latest Netsky variant, which targets the sites for a distributed denial-of-service attack in early May.
Antivirus experts are baffled as to why the three sites, located in Florida, Switzerland and Germany, have the ire of the worm writer. Nonetheless enterprises are cautioned to guard against opening suspicious e-mail attachments, else they could inadvertently take part in the attacks.
As of Friday morning, all three portals were live on the Internet and it was unknown whether any had plans to switch IP addresses in order to sidestep the DDoS attack.
Netsky, meanwhile, extends its reign as the most prevalent malicious code of 2004. This is the 26th variant, and previous versions have spread either via e-mail or by exploiting holes in Microsoft software. They have attacked file-sharing networks like Kazaa with DDoS attacks and kicked off a worm war with the writers of the Bagle family of malicious code.
Netsky-Z, like most of its predecessors, spreads via e-mail using common subjects lines like "Hi," "Document," "Important" and "Information." Messages are short and try to entice the recipient with alarming text like "Important bill" "Important notice" or "Important document" among others. The subject lines and messages are randomly generated.
The worm is packed in a zip file that goes by several different names like Bill.zip, Important.zip and Details.zip. The zip archive that contains the worm is not password protected. The worm's file name is a double file extension -- .txt. followed by many spaces then .exe. Enterprises could filter for these file names at the gateway, provided their antivirus protection is enabled to examine the contents of a zip file.
If executed, the worm installs itself in the Windows directory as JAMMER2ND.EXE, according to Network Associates. It also begins harvesting e-mail addresses from the victim's machine to send itself out via its SMTP engine. The worm spoofs the sender's address as it propagates. It also opens a listening port on TCP 665, according to Sophos.
Finally, the worm is set to launch a DDoS attack between May 2 and May 5 on educa.ch, medinfo.ufl.edu and nibis.de, which were also targeted by three previous Netsky worms.
"Whoever is behind the last three variants has a grudge against these three sites," said Sophos senior technology consultant Graham Cluley. "But we are baffled as what they have against them. These are three geographically disparate Web sites, and it's not as if they are institutions where you can study."
Where Netsky-Z is an e-mail worm, it may be easier to combat, Cluley said. Netsky-V, for example, spread and infected machines automatically be exploiting an object validation flaw in Microsoft Outlook and Internet Explorer. It then installed a backdoor that opened TCP ports 5556 and 5557 and was set to launch a DDoS attack against file-sharing sites kazaa.com, emule.de, cracks.am, freemule.net and keygen.us, starting yesterday through April 28.
"Most previous versions required a double-click," Cluley said. "It would appear the writer has returned to his roots with this one [Netsky-Z]."