Bagle and Netsky variants rapidly spreading on net

Five versions of the Bagle virus appeared over the weekend, as well another version of Netsky which is spreading rapidly on the...

Five versions of the Bagle virus appeared over the weekend, as well another version of Netsky which is spreading rapidly on the internet and generating a huge volume of virus-infected e-mail messages.

Netsky.D, the latest version of the Netsky worm, is believed to be the biggest threat in the group. Netsky.D has been spreading rapidly on the internet and flooding e-mail servers with infected messages, said Graham Cluley, a senior technology consultant at Sophos.

Some of Sophos' customers were receiving thousands of Netsky.D infected messages each hour. That number could increase after the weekend, he said.

The original Netsky worm first appeared on 16 February. Since then, three more variants have been released on the internet.

Like its predecessors, Netsky.D scans an infected computer's hard drive for files containing e-mail addresses and then sends copies of itself to those addresses.

Netsky.D affects machines running Microsoft's Windows operating system and arrives in e-mail messages with randomly generated subject lines such as "Re: Document", "Re: Your picture" or "Re:approved".

The Netsky.D worm disguises its payload as a PIF (Program Information File) attachment which also has a randomly generated name such as "my_details.pif" "document.pif" or "mp3music.pif".

However, NetSky.D does not spread on peer-to-peer networks, and does not use a Zip file to conceal its contents, according to antivirus company Network Associates.

The latest Bagle worms which have appeared recently use many of the same tricks as the latest Netsky worms.

Bagle versions C, D, E, F and G appeared over the weekend and are variants of the first Bagle worm, which appeared on 19 January.

All target systems running Windows, harvest e-mail addresses from infected machines and open a TCP (Transmission Control Protocol) port to listen for commands from a remote attacker, according to an alert released by computer security company iDefense.

Bagle.C appears to be the most virulent of the bunch. Sophos has received "hundreds" of reports of messages containing that version, which uses a Microsoft Office 2000 Excel icon to fool users. Other Bagle variants use Windows folder icons.

Bagle versions F and G also use a password protected Zip file to get past anti-virus scanners. Password protected Zips have encrypted contents that cannot be read by even sophisticated anti-virus scanners.

However, virus writers must supply the password information in the body of a message before users can open the Zip and get to the virus file inside, which makes it harder for the worm to spread.

The use of Zip files to hide e-mail viruses is increasingly popular among virus writers.

Many recipients may be used to receiving zipped attachments from correspondents and open the Bagle and Netsky attachments out of curiosity.

With e-mail viruses slipping by gateway protections, companies need desktop anti-virus software to stop the worm from infecting machines on which it is launched.

Organisations must also invest in user education to stop risky behaviour such as opening strange e-mail attachments, Cluely said.

Companies advised customers to update their anti-virus software as soon as possible to prevent infection.

Paul Roberts writes for IDG News Service

Read more on IT risk management