Panda Software reports the appearance of Netsky.X - 04/20/2004]

PandaLabs has detected the appearance of the W32/Netsky.X worm. This is
another new variant of Netsky, which so far in 2004 has caused numerous
incidents to computers around the world. Its propagation is on the increase,
although it has yet to reach alarming proportions.

Netsky.X is designed to spread, using its own SMTP engine, to as many
computers as possible. It searches for e-mail addresses to send itself to in
files with the following extensions: .eml, .txt, .php, .cfg, .mbx, .mdx,
.asp, .wab, .doc, .vbs, .rtf, .uin, .shtm, .cgi, .dhtm, .adb, .tbb, .dbx,
.pl, .htm, .html, .sht, .oft, .msg, .ods, .stm, .xls, .jsp, .wsh, .xml,
.mht, .mmf, .nch and ppt.

The X variant of Netsky is transmitted in a message with the following
characteristics:

- The e-mail address of the sender is faked to confuse the recipient.

- The message carrying the virus can appear in various languages depending
on the country indicated in the domain of the recipient's e-mail address.
So, if the domain is .de, .fi, .fr, .it, .no, .pl, .pt or .se, the message
will be in German, Finnish, French, Italian, Norwegian, Polish, Portuguese
or Swedish respectively. If there is a generic domain, the message is in
English. Curiously, if the domain is .tc (Turks and Caicos Islands), the
message includes the text "mutlu etmek okumak belgili tanimlik belge".

- It includes a file with a .pif extension which contains the worm's code.
The file size is 26,112 bytes and it is packed with "tElock".

- Whatever the language, the text encourages the user to open the
attachment.

Netsky.X is programmed to carry out a denial of service attack between April
28 and 30 2004, against www.nibis.de, www.medinfo.ufl.edu and www.educa.ch.

More information on Netsky.X is available in Panda Software's Virus
Encyclopedia.