Netsky.q Is Most Dangerous Of Three New WormsNetsky.q Is Most Dangerous Of Three New Worms

New variations of several prominent and persistent lines of worms hit the Internet Monday as the wave of malicious code copycats continues.

Brand-new versions of the Netsky, Bagle, and Sober worms made it into the wild, with the Netsky variant, dubbed Netsky.q, the most troublesome of the trio.

Most anti-virus companies ranked Netsky.q, the 17th in the long-running series of pernicious worms, as a "medium" threat as it took off. Symantec Corp. raised its rating on Monday from a "2" in its 1-through-5 scale to a "3", while Network Associates bumped up Netsky.q from "low" to "medium."

Netsky.q's distinguishing characteristics are a combination of social engineering first used by the MyDoom worm, and an exploit of a 3-year old vulnerability in older editions of Microsoft's Internet Explorer Web browser.

"Netsky.q poses as a problem with E-mail," noted Vincent Gullotto, the VP in charge of Network Associates' Avert's anti-virus research team. Using the same tactic as MyDoom, Netsky.q pretends to be a message alerting users of E-mail errors, with subject heads that range from "Mail Delivery failure" to "Server Error."

Although Netsky.q includes a file attachment that infects the target machine when opened, it doesn't necessarily need users to take that step to compromise a system. On machines unpatched against 2001's "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability in Internet Explorer 5.01 (without Service Pack 2) and 5.5, Netsky.q will automatically execute its payload if the recipient simply views or opens the HTML E-mail.

"This is a very old exploit, but the tactic is just a natural migration of worm tricks," said Gullotto. "With so many of these 'family' threats out on the Internet, people are getting leery of double-clicking on an attachment. This is a way for worm writers to get their payload by the user."

Most of the early reports of Netsky.q came from Japan, Gullotto said, which is unusual. He theorized that the worm writer initially may have infected several systems in Japan that had been previously compromised by other malicious code to open backdoors through which the worm could be planted.

Machines infected with Netsky.q will start beeping as of 5:11 a.m. local time on Tuesday, March 30, making it relatively easy for users to know if their system has been compromised, and on April 8-11 will conduct a denial-of-service attack against five sites, including popular peer-to-peer software sites such as kazaa.com, emule-project.net, and edonkey2000.com.

The other new variations discovered Monday included a new Sober worm, Sober.e, and yet another Bagle, labeled as Bagle.v. Neither of those worms poses much of a threat, said Gullotto, and both are very similar to other variations.

One bright spot in the most recent worm waves, said Gullotto, is that although new variations "seem to get a quick jump out, they just as quickly die out." He suspects that hackers are seeding their creations using spam-style techniques, but the worms quickly fade into obscurity because of increased vigilance on the part of users and the fast reaction time of anti-virus firms.

But that's not to say all's well.

"These variations may be more of the same, but they're not going to slow down any time soon," Gullotto said. "What worries me more is that inevitably a new family or families of worms will appear that are completely different. That's what will take people by surprise."