Topic: Netsky author signs out with final variant

[Clive]

Munir Kotadia
ZDNet UK
March 09, 2004, 13:25 GMT
 
The latest variant of the Netsky worm, which is the eleventh in less than a month, will be the last, according to a coded message from the worm's author.

Netsky.K was discovered on Monday and security researchers found an unexpected message from the author within its code; although the authors of Netsky, Bagle and MyDoom have been engaged in a flame war for the past couple of weeks, this latest variant differs because it not only contains the usual insults to other virus writers, but also a message saying this would be the last Netsky variant.

Although the Netsky worm has caused misery for users, it is not malicious in the same way as Bagle and MyDoom, which have been designed for the sole purpose of transforming unprotected PCs into an army of spam senders. Recent versions of Netsky have actually attacked and removed the Bagle worm and the author of Netsky refers to his team as "antivirus" writers.

Mikko Hyppönen, director of antivirus research at Finnish company F-Secure, told ZDNet UK that the authors of Netsky are under the impression they are good guys because they attack other worms: "The guy behind Netsky thinks he is doing a good thing -- most likely a teenager and probably just one guy who is not part of a group of criminals."

In Netsky.K's code the author writes: "We want to destroy malware writers business [sic], including MyDoom & Bagle? To F-Secure and so on, we do not want damage systems? We have respect of your work (Your heuristic scan is not good enough! Make it better). This is the last version of our antivirus. The source code is available soon."

Hyppönen said he expects the Netsky author to stick to his word and stop releasing new variants: "We have no reason to doubt it, so I would be surprised if it isn't true."

A new version of the Bagle worm, Bagle.L, was discovered on Tuesday. According to antivirus firm Panda Software this worm contains a back door, which opens the TCP port 2745. Infected computers attempt to connect to an Internet address that hosts a PHP script. According to Panda, this is how the worm notifies its author that another computer has been infected.

Hypponen said the behaviour of the latest Bagle worm is suspiciously similar to that of the original MyDoom worm, which so successfully launched a DDoS attack on the SCO.com Web site. He suspects that Bagle and MyDoom are written if not by the same person, then by the same team of coders: "This family of Trojans have been used by spammers for several months. When MyDoom was distributed at the end of January, it left a back door. Through that back door they installed a specific Trojan and after a few days we started seeing spam being sent through those computers. The Bagle we found today drops the same Trojan. We are starting to think that it is the same group of people behind both Bagle and MyDoom," he said.

 
http://news.zdnet.co.uk/0,39020330,39148153,00.htm

I received one Netsky C and one Netsky D in this morning's post.

[Michelle]

AVG removed Netsky D from my puter this evening.

I think I am going through the alphabet, I don't think I've had the pleasure of K yet.

 >

[Clive]

Thank goodness Netsky-K was the last in the series!  

Here are the details for Netsky-L


W32/Netsky-L
Type
Win32 worm
 
Sophos has received several reports of this worm from the wild.
 
Description
W32/Netsky-L is a worm that arrives in an email with the following characteristics:
Subject line: one of the following -
Re: Important
Re: Your document
Re: Your details
Re: Approved
Message text: one of the following -
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file.
Please see the attached file for details.

The attached filename has the following construction:
<word>_<user name of recipient>.pif
or
<user name of recipient>.pif
where <word> is one of:
your_file_
details_
document_

and the user name is taken from the string preceeding the "@" in the recipient's email address.

For example if the recipient's email address is Joe.Bloggs@example.com then the attached file could be details_Joe.Bloggs.pif

When W32/Netsky-L is run a copy will be created in the Windows folder with the filename AVprotect.exe and the following registry entry will be created so that the worm is run when the victim logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\HtProtect
 

http://www.sophos.com/virusinfo/analyses/w32netskyl.html

[Clive]

More NetSky worms. So much for quitting
By John Leyden
Posted: 11/03/2004 at 12:58 GMT

Two new NetSky worms appeared on the scene yesterday, despite a promise by the original author this week to refrain from releasing any more versions.

Differences in the code of NetSky-L and NetSky-M from their 11 older siblings have led anti-virus researchers to suspect that they are the work of a copycat. This suggests the source code of the virus has been leaked.

Text hidden inside NetSky-K said that it would be "the last version", but warned that the source code would be "available soon". Releasing the source code would make it far easier for other viruswriters to create new versions of the worm, such as NetSky-L.

Like previous versions, Netsky-L, spreads by email in an attachment. But it contains a number of significant differences from its predecessors.

Carole Theriault, a security consultant at AV firm Sophos, told El Reg that unlike earlier variants, Netsky-L contains no mention of 'Skynet', does not try and disinfect the Bagle worm, and contains no hidden text slagging off Bagle's author.

It could be the NetSky author is just playing games and hasn't quit at all. Theriault considers this as possible but unlikely even though she acknowledges that her tentative conclusions are based on circumstantial evidence.

Security watchers are yet to confirm the release of the source code of NetSky but if the original author has kept to his promise and released blueprints for the virus then this might result in the creation of more mutations.. And these might come at an even faster rate if more people have access to plans on how NetSky is built.

AV firms rate NetSky-L, which is spreading slowly, as low risk. NetSky-M is even rarer. Previous versions of the worm - in particular NetSky-D - remain a far more potent threat. ®

http://www.theregister.co.uk/content/56/36187.html