PandaLabs has detected the appearance of the new D variant of the Netsky worm (W32/Netsky.D.worm). This malicious code is very similar to its predecessor, Netsky.B, which has been the virus most frequently detected by the free online antivirus Panda ActiveScan over the last few days.
Netsky.D reaches computers in an e-mail message whose subject, message body and attached file are selected at random from a list of options. For more details, consult Panda Software's Virus Encyclopedia.
Netsky.D spreads by e-mail, sending itself out to all the address it finds in files with the extensions: eml, .txt, .php, .pl, .htm, .html, .vbs, .rtf, .uin, .asp, .wab, .doc, .adb, .tbb, .dbx, .sht, .oft, .msg, .shtm, .cgi, and .dhtm. To do this it uses its own SMTP engine. Unlike the C variant, Netsky.D launches eight simultaneous threads, which means that from each infected computer, it will send at least eight times more infected mails.
Netsky.D deletes entries created by several worms, including Mydoom.A and Mimail.T. In addition, when the system date is March 2 2004, the worm will make random noises between 6:00 and 8:59 in the morning.
The appearance of Netsky.D comes in addition to that of the C, D, E, F and G variants of the Bagle, worm which appeared over the weekend. "Bagle.E, in particular, is causing incidents in computers around the world according to the data collected by Panda Software's international tech support network," explains Luis Corrons, head of PandaLabs.
Bagle.E spreads via e-mail in a message with an attached file -with an icon similar to Windows Notepad-, and with a name made up of random characters and the ZIP extension. When this file is run, the computer will be infected by the worm, which then searches for e-mail addresses in files with the following extensions: WAB, TXT, HTM, HTML, DBX, MDX, EML, NCH, MMF, ODS, CFG, ASP, PHP, PL, ADB and SHT. Bagle.E also terminates several process belonging to security applications, leaving the computer vulnerable to future attack.
Due to the possibility of incidents involving Bagle.C, Bagle,D or Bagle.E, Panda Software has made the free PQRemove utility available to detect and remove these malicious code. This tool can be downloaded from: http://www.pandasoftware.com/download/utilities.
"With the waves of variants that are now appearing -such as Nestky.D and the Bagle 'family' which have appeared this weekend it is probable that there are still more to come. For this reason, users should treat all e-mail received with caution and update their antivirus solutions as soon as possible," says Corrons. Panda Software has already made the updates to its products available to users to ensure their solutions can detect and eliminate Nestky.D and the Bagle variants. Those whose software is not configured to update automatically, should update their solutions from http://www.pandasoftware.com Similarly, users can also detect and disinfect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is also available on the company's website at http://www.pandasoftware.com
More information on Netsky.D and the C, D, E, F and G variants of Bagle is available in Panda Software's Virus Encyclopedia.
About PandaLabs
On receiving a possibly infected file, Panda Software's technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.
For more information:
Lies Florentie
l.florentie@pandasoftware.be
+32 (0)2 756 08 87