Same old story. Click on the attachment. Worm opens hidden TCP port and downloads payload. Steals email addresses from files with these extensions: adb, asp, cfg, cgi, dbx, dhtm, doc, eml, htm, html, jsp, mbx, mdx, mht, mmf, msg, nch, oft, php, pl, ppt, rtf, shtm, tbb, txt, uin, vbs, wab, wsh, xls, and xml. (In case you haven’t noticed before, these scum are snooping through company Excel files. Sooner or later, they’ll figure out that bypassing secret financial data to grab a few email addresses is like robbing a bank and insisting on one dollar bills. If that doesn’t scare you silly, you’re in the wrong business.)

Like its progeny, Netsky-Y needs help to worm its way onto your network. Either an administrator too lazy to set the spam and content filtering appliance to strip attachments with PIF extentsions, or a user dumb enough to open an attachment.

During user training, don’t forget to tell your users that attachments from colleagues are often attachments sent by worms that have stolen colleagues’ email addresses. Teach them to insist that folks send them files via the company ftp server. And don’t forget to make your ftp server easy to use.