The worm, dubbed Netsky.b, uses spoofed "from" addresses and a wide range of subject headings and message text to trick recipients into opening the accompanying attached file.
"Netsky.b is like a cluster bomb," said Ken Dunham, a security analyst with iDefense. "It spreads to various networks via E-mail, then erupts on the network through shared files. Networks infected with this worm will likely experience a dramatic outbreak, while others may not see much of it at all."
Among its possible subject lines, Netsky.b may display "hello," "read immediately," and "warning." The file attachment comes with a double extension-- the first of which shows innocuous file types such as .txt, .doc, .rtf, or .htm--as another way to get around anti-virus defenses and/or users who know not to open potentially dangerous attachments in .exe, .scr, .com, or .pif formats.
Once into a PC, the worm hijacks E-mail addresses to propagate to other machines, and copies itself into Windows directories with "share" or "sharing" in their names. From there, the worm can spread to other computers with rights to files in those directories.
Symantec immediately pegged Netsky.b as a level 3 threat--the anti-virus company uses a 1 through 5 scale to note the potential danger of a worm or virus--and later in the day raised its warning level to "4." Network Associates labeled it as a "medium" threat.
Although Symantec's rating is unusually high--the last worm to rate a "4" was the original MyDoom in late January - the number of Netsky.b submissions from its customers have been fewer than a tenth of those seen for MyDoom on its first day.
Users should follow the traditional advice given by security firms to stymie the new worm: don't open unanticipated file attachments and update security software with the most recent anti-virus definition files.