How to Spot the Netsky E-Mail Virus
March 3 -- February (sorry, March) went out like a lion with back-to-back viruses.
The latest, w32/Netsky.C-mm, also known as i-worm.moodoom.c , has an increased vocabulary of subject, message and attachment names over of the earlier Netsky.B.
Like its predecessor, Netsky.C is a mass mailing worm/virus that uses its own SMTP (e-mail) engine to propagate. It harvests e-mail addresses from local and mapped network drives, and like the earlier version attempts to terminate and remove MyDoom.A, MyDoom.B and Mimail.T files and processes.
Netsky.D, arriving on March 1, shares similar characteristics, though a shorter list of subjects, messages, and file names, and is removed the same way. We'll discuss Netsky.C here mostly, and point out differences as needed.
Exploiting Human Weaknesses
Both Netsky.C and Netsky.D only infects directly through executable attachments. Netsky.C also spreads through files on peer-to-peer file sharing services, or any service that uses a folder with "Shar" in the name. Netsky does not use vulnerabilities in browsers or e-mail clients to spread, only human vulnerabilities. You can minimize your risk by not opening attachments, and not using file-sharing services. If you're on a network, mapped drives should be set to "read only" to avoid having copies of Netsky.C dropped from an infected client on the network.
Other than mass mailing, and dropping files on local and shared drives, Netsky — unlike MyDoom.F — is relatively harmless. We say relatively, since it does tamper with your registry, and can cause performance problems both locally and on a network.
In addition to sending out copies of itself via email, NetSky.C searches local and mapped network drives for folders with "Shar" in the name. Finding these folders, typically associated with file-sharing programs like Gnutella and Kazaa, NetskyC drops copies of itself with names that act as bait to file sharing users.
What to Look For
One characteristic of Netsky.C is that it has expanded its pool of attachment, subject and message possibilities over earlier viruses. The newer Netsky.D has a much shorter list of possibilities, and may combine the same words with "RE:" for subjects, such as "RE: Hello." The attachments may have "your, my or all" pre-pended file names, such as "your_document.pif".
