Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Netsky.q Most Dangerous Of Three New Worms: Page 2 of 3

Although Netsky.q includes a file attachment that infects the target machine when opened, it doesn't necessarily need users to take that step to compromise a system. On machines unpatched against 2001's "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability in IE 5.01 (without SP2) and 5.5, Netsky.q will automatically execute its payload if the recipient simply views or opens the HTML e-mail.

"This is a very old exploit, but the tactic is just a natural migration of worm tricks," said Gullotto. "With so many of these 'family' threats out on the Internet, people are getting leery of double-clicking on an attachment. This is a way for worm writers to get their payload by the user."

Most of the early reports of Netsky.q came from Japan, Gullotto said, which is unusual. He theorized that the worm writer may have initially infected several systems in Japan which had been previously compromised by other malicious code to open back doors through which the worm could be planted.

Machines infected with Netsky.q will start beeping as of 5:11 a.m. local time on Tuesday, March 30 -- making it relatively easy for users to know if their system has been compromised -- and on April 8-11 will conduct a denial-of-service (DoS) attack against five sites, including popular peer-to-peer software sites such as kazaa.com, emule-project.net, and edonkey2000.com.

The other new variations discovered Monday included a new Sober worm, Sober.e, and yet another Bagle, labeled as Bagle.v. Neither of those worms pose much of a threat, said Gullotto, and are very similar to other variations.