The worm first appeared on February 17, and appears to have originated in the Netherlands. MessageLabs, an e-mail management company, claims to have stopped over 1.3 million since the virus started spreading, and believes the infection rate is increasing rapidly. Symantec have rated the worm as Category 4 - Severe. This means the worm is a dangerous threat and is difficult to contain.
The worm does require the user to open the attachment with the e-mail. "These days it's less to do with technology, with the code of the virus, and more to do with social engineering," David Banes of MessageLabs told ZDNet Australia.
Netsky.B scans the hard drives and shared drives of an infected computer for e-mail addresses and then uses its own SMTP engine to mail itself to those addresses. The worm also searches for folder names containing "share" or "sharing" and copies itself to those folders using a variety of file names.
The worm appears in the Inbox using a spoofed "from" address and a subject line chosen from one of the following: hi, hello, read it immediately, something for you, warning, information, stolen, fake, unknown. The body of the e-mail contains a variety of messages, and the attachment will normally have a double-file name or be a zip file. When the file is opened it displays a message "The file could not be opened!" before going to work.
In the last 24 hours MessageLabs stopped more than 10 times as many Netsky.B worms as MyDoom worms.
Symantec has a removal tool here.
