F-Secure Warns on the outbreaks caused by a "Virus Weekend"

Helsinki, Finland - March 1, 2004

Virus writers have been busy over the last days, with two new variants of the Netsky worm and five new variants of the Bagle worm found since Friday the 27th of February. Out of these worms, Netsky.D - found on Monday the 1st of March - is the most widespread.

The Netsky virus family consists of fairly simple Windows worms, which spread over email. Apart from spreading aggressively by sending infected PIF attachments around they do very little. The only unusual feature is that Netsky.D will start to play a loop of random beeps from the PC speaker on the morning of Tuesday the 2nd of March.

"We believe the reason for Netsky.D spreading so fast is because it was apparently spammed to a large amount of email addresses during Monday", says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "If it continues spreading at these levels it might go on to break the previous records set by Mydoom.A and Sobig.F", he continues.

F-Secure raised Netsky.D to F-Secure Radar Level 1 Alert during Monday. Level 1 is the highest alert level.

All the new Bagle variants known as Bagle.C, .D, .E, .F and .G were found during the weekend. The original Bagle.A (also known as Beagle) is a Windows email worm that was first discovered on January 18th, 2004, and became globally widespread in just 24 hours.

All the five new versions of Bagle seem to be written by the same virus author. "It seems the writer is waging a virus war", says Hypponen. "Apparently he has been monitoring closely how quickly the antivirus vendors have released detections, then made the necessary alterations to avoid detection and released new versions immediately", he continues.

F-Secure raised Bagles to F-Secure Radar Level 2 Alert during the weekend.

Bagle.F and .G have an interesting feature in them. Both of them send infected files inside ZIP archives encrypted with a password that is mentioned in the email message. The ZIP itself is variable, as the EXE inside has a random part in it. Most probably the virus this way tries to bypass detection of gateway and server scanners, which might not be able to decrypt such archives.

In addition to this feature, Bagle.F uses deceiving icons for the infected attachments that look like folders, and thus may seem harmless to the end user.

Pictures of the Bagle folder icons can be seen in the F-Secure Weblog, which follows developments on these new viruses. Also a recording of the beep sound loop played by Netsky.D can be downloaded from the weblog which is available at: http://www.f-secure.com/weblog/.

F-Secure Anti-Virus can detect and remove all the new Netsky and Bagle variants. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com .

F-Secure has also released free tools, which can be used to remove Bagle or Netsky from infected systems. The tools can be downloaded through the F-Secure Virus Information Center at http://www.f-secure.com/v-descs/

About F-Secure

F-Secure Corporation protects individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus, desktop firewall with intrusion prevention and network encryption. Our key strength is the speed of response to new threats and for businesses our solutions feature centralized management. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of value added resellers and distributors in over 50 countries. F-Secure protection is also available through major Internet Service Providers, such as Deutsche Telekom and leading mobile equipment manufacturers, such as Nokia.

For more information, please contact:

F-Secure Corporation

Mikko Hypponen, Director, Anti-Virus Research
Tel. +358 9 2520 5513
Email: mikko.hypponen@f-secure.com 

Mikael Albrecht, Product Manager
Tel +358 40 550 9349
Email: mikael.albrecht@f-secure.com