With Bagle, Netsky, March comes in like a worm

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2004/0301withbagel.html

By Paul Roberts
IDG News Service
03/01/04

Conventional wisdom claims March comes in like a lion and goes out
like a lamb. But with new versions of the Bagle e-mail worm and a
virulent new form of Netsky virus, March's arrival is looking more
wormy than leonine.

As of Monday, five new versions of Bagle appeared over the weekend as
well as a new version of Netsky that is spreading rapidly on the
Internet and generating a huge volume of virus-infected e-mail
messages. The new virus versions use a variety of so-called "social
engineering" techniques to fool users. Some new variants also hide in
ZIP files to slip past anti-virus filters and into users' e-mail
boxes, said Graham Cluley, a senior technology consultant at Sophos.

Netsky.D, a new version of the Netsky worm, is believed to be the
biggest threat in the group. As of Monday, Netsky.D was spreading
rapidly on the Internet and flooding e-mail servers with infected
messages, according to Cluley.

Some of Sophos' customers were receiving thousands of Netsky.D
infected messages each hour. That number could increase on Monday as
U.S. workers return to their desks after the weekend, he said.

The original Netsky worm first appeared on Feb. 16. Since then, three
more variants have been released on the Internet. Like its
predecessors, Netsky.D scans an infected computer's hard drive for
files containing e-mail addresses and then sends copies of itself to
those addresses, antivirus companies said.

Like its predecessors, Netsky.D affects machines running Microsoft's
Windows operating system and arrives in e-mail messages with randomly
generated subject lines such as "Re: Document," "Re: Your picture" or
"Re:approved." The Netsky.D worm disguises its payload as a Program
Information File (PIF) attachment that also has a randomly generated
name such as "my_details.pif" "document.pif" or "mp3music.pif."

Unlike its predecessors, NetSky.D doesn't spread on peer-to-peer
networks, and doesn't use a ZIP file to conceal its contents,
according to anti-virus company Network Associates.

The gaggle of new Bagle worms that appeared in recent days use many of
the same tricks as the new Netsky worms, and some new techniques,
according to anti-virus companies.

Bagle versions C, D, E, F and G appeared between Saturday and Monday
and are variants of the first Bagle worm, which appeared on Jan. 19.  
All target systems running Windows, harvest e-mail addresses from
infected machines and open a TCP port to listen for commands from a
remote attacker, according to an alert released by computer security
company iDefense.

Bagle.C appears to be the most virulent of the bunch. Sophos has
received "hundreds" of reports of messages containing that version,
which uses a Microsoft Office 2000 Excel icon to fool users. Other
Bagle variants use Windows folder icons, Cluley said.

Bagle versions F and G also use a password-protected ZIP file to get
past anti-virus scanners. Password-protected ZIPs have encrypted
contents that cannot be read by even sophisticated anti-virus
scanners. However, virus writers must supply the password information
in the body of a message before users can open the ZIP and get to the
virus file inside, which makes it harder for the worm to spread, he
said.

The use of ZIP files to hide e-mail viruses is increasingly popular
among virus writers, he said.

Many recipients may be used to receiving zipped attachments from
correspondents and open the Bagle and Netsky attachments out of
curiosity, Cluley said.

With e-mail viruses slipping by gateway protections, companies need
desktop anti-virus software to stop the worm from infecting machines
on which it is launched, he said.

Organizations must also invest in user education to stop risky
behavior such as opening strange e-mail attachments, he said.

Last weekend's round of virus outbreaks is just the latest in a
weeks-long scourge that began in mid-January with the first version of
Bagle and has spawned multiple versions of the Bagle, Mydoom and
Netsky worms.

"I think it's effectively a blitzkrieg," said Cluley.

Despite only modest changes between worm versions, the new Bagle and
Netsky variants appear to be the work of the original virus authors,
he said.

"Someone who has access to the source code is creating these," he
said.

Leading anti-virus companies posted software updates to detect the new
worm versions and tools to remove the worms from infected machines.  
Companies advised customers to update their anti-virus software as
soon as possible to prevent infection.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.