Although it has been three months since Sven Jaschan, the author of the Netsky worms, was arrested, the worms keep spreading. No new variants have been released but the existing ones are still haunting the wild.
According to MessageLabs statistics, W32/NetSky.P-mm has remained in first place and W32/Netsky.Z-mm in second or third place for many months. Many other variants have occasionally made it into MessageLabs Top Ten Virus Threats during July and August:
- W32/NetSky.B-mm: 10th July, 15th July, 30th July, 2nd August, 13th August, 16th August, 26th August, 30th August (8 times)
- W32/NetSky.C-mm: 7th July, 10th July, 19th July, 26th July, 26th August (5 times) W32/NetSky.D-mm: 3rd July, 6th July, 7th July, 9th July, 31st July, 2nd August, 11th August, 16th August, 17th August, 24th August (10 times)
- W32/NetSky.K-mm: 26th July
- W32/NetSky.Q-mm: 13th August, 19th August, 30th August (3 times)
- W32/NetSky.S-mm: 17th July
- W32/NetSky.AB-mm: 7th July, 21st July (2 times)
F-Secure also reports that Netsky variants are persistent and prevalent.
It is painful for network administrators to handle complaints from users who keep on receiving either emails containing NetSky variants or rejection emails from other email gateways that are incorrectly bouncing the infected messages to the forged sender's address. The volume of these wrongly directed warnings is even rivalling the spam clogging our in boxes.
Some advocate that email anti-virus gateways should not warn the sender when a virus is detected, but this contravenes the SMTP standard, and makes email even less reliable than now. Messages can simply disappear, with no clue as to their fate.
To combat the problem, email anti-virus gateways should be modified to return a rejection error code at the end of the DATA phase when they detect a virus, instead of generating a new message that gets sent to the (possibly forged) envelope sender address. Thus, the sending SMTP client is clearly informed that the message has not been accepted for delivery before the connection is closed.
While the Netsky variants and other similar mass-mailing worms are still in the wild, the headache continues.