First it began with an onslaught of Sasser worms over the weekend. Now a Netsky variant claiming to be a fix for Sasser is on the move.
"The latest Netsky worm is incredibly sneaky in the social engineering it uses to infect innocent computer users. It knows people are panicking right now about Sasser so it presents itself as a fix for Sasser from one of several well-known antivirus firms," said Graham Cluley, senior technology consultant for U.K.-based Sophos. "All users should be wary of launching unsolicited e-mail attachments."
W32.Sasser is a family of self-executing worms that target a critical Microsoft vulnerability announced last month. The worms exploit the Local Security Authority Subsystem Service (lsass.exe) stack based buffer overflow vulnerability (discussed in MS04-011) in unpatched Windows XP and 2000 systems. The worms will act as an FTP server on TCP port 5554 and create a remote shell on TCP port 9996.
The number of Sasser-infected PCs is already estimated to be in hundreds of thousands and will continue to rise, said Mikko Hypponen, director of antivirus research at F-Secure in Helsinki, Finland. He compared Sasser to the MSBlast worm. "MSBlast was one of the largest virus incidents of 2003 and even caused problems to infrastructure systems such as ATM networks and train and air travel systems," Hypponen said in a statement. "I hope administrators have improved security since then. Otherwise we might see similar problems again."
Claiming that "hundreds of infected e-mails have been sent from your mail account," W32/Netsky-AC refers not only to infections by the Sasser worm, but also NetSky-AB, Bagle-AB, Mydoom-F and MSBlast-B.
"The Netsky author is preying on user's fear of computer attack," said Cluley. "The very worst thing you can do is fall for this trick by clicking on the attached file."
The mass-mailing worm worm copies itself to the Windows folder and modifies the registry to run on user logon. The subject line is always "escalation." It randomly chooses which antivirus vendor it pretends to be from, including Sophos, McAfee, Norman and Norton.
A message within the malicious code suggests that Sasser and Netsky were written by the same group, one calling itself Skynet.
"It's hard to be certain at the moment if the virus writers responsible for the Netsky worm also wrote Sasser. But they certainly want people to believe that it might be true. What is definite is that both Netsky and Sasser have been tremendously successful worms -- we shouldn't be too surprised if they share authors, or are working closely together."