Monthly Archives - March of 2004
 

Wednesday, March 31, 2004

 
Nesky.R found Posted by Katrin @ 11:56 GMT

Yet another day, another new Netsky has been found. This time it's a stripped down modification of the last variant - at least 80% of the same functionality is kept.

More information can be found from:
http://www.f-secure.com/v-descs/netsky_r.shtml

 
 

 
 
Tuesday, March 30, 2004

 
Netsky.Q beeps today Posted by Mikko @ 07:56 GMT

The Q variant of Netsky (which was found yesterday) makes the infected PCs play random beeps today. Which can be very annoying. To hear what the beeping sounds like, click here.

Here's an example of what messages sent by Netsky.Q can look like:
Fairly clever

 
 

 
 
Monday, March 29, 2004

 
New week, new variants Posted by Mikko @ 08:46 GMT

Isn't it nice to get to work on Monday morning just to find yet another new variant of both Bagle and Netsky. So we're now up to Bagle.V and NetSky.Q.

This new Bagle sends mails where the attachment has an icon looking like a syringe:
Bagle.V

 
 

 
 
Sunday, March 28, 2004

 
Witty once more Posted by Mikko @ 21:40 GMT

CAIDA has released an interesting paper on the Spread of the Witty worm. Their analysis shows several interesting facts, including that the worm apparently infected 12 000 computers, and that it was mostly likely spread using a hitlist.

I would think the figure of 12 000 infected computers is on the low side. Many of the infected machines managed to corrupt themselves almost instantly, before they had much chance to make themselves "visible" to the net. Also, many infected computers were behind other firewalls, which could have prevented them from scanning others. And there are several unconfirmed reports citing fairly large internal infections in corporate environments.

CAIDA is also the home of one of the all-time-favourites: a world map MOV animation showing 24 hours of the spread of the Code Red worm in July 2001.

 
 

 
 
Sober.E found Posted by Katrin @ 14:14 GMT

A new Sober.E worm was found spreading in Germany on Sunday March 28th, 2004. The worm replaces 'From:' filed so the infected email looks like it comes from @gmx.net or @gmx.de. The size of the attachment is 30720.
 
 

 
 
Friday, March 26, 2004

 
New Bagle.U is spreading fast Posted by Katrin @ 09:42 GMT

A new Bagle.U worm is spreading fast this morning. So we issued a Level 2 alert on it.

This variant sends emails with an empty subject, no body text and a randomly named attachment.

The attachment has an icon which resembles a clock:
clock

 
 

 
 
Thursday, March 25, 2004

 
Some new viruses Posted by Mikko @ 06:39 GMT

Some new smaller-scale outbreaks have been seen lately, including Snapper and Mywife/Nyxem/Blackworm/Hunchi/Blueworm (awful lot of aliases for this one).

The Snapper worm shouldn't be a problem any more though, as it relies on the existance of a hacked webserver in USA. We contacted the ISP behind it yesterday and the server seems to be down now (we haven't received confirmation though). As long as it's down, the worm won't work.

 
 

 
 
Monday, March 22, 2004

 
Netsky.P worm is spreading faster Posted by Katrin @ 17:58 GMT

We just upgraded Netsky.P to Radar level 2 as it is spreading faster.
 
 

 
 
Sunday, March 21, 2004

 
New Netsky variant has been found Posted by Alexey @ 19:34 GMT

The new Netsky.P variant was found on March 21st, 2004. It spreads itself as a dropper that copies itself to Windows folder and then extracts the main worm's file there. Netsky.P is functionally similar to previous variants.

F-Secure Anti-Virus detects Netsky.P worm with the latest updates. More information in the virus description.

 
 

 
 
Saturday, March 20, 2004

 
The destructiveness of Witty Posted by Mikko @ 21:39 GMT

The Witty worm is going around fast...but only affects users running BlackIce software. However, on infected machines the worm seems to do really bad damage, overwriting random parts of the hard drive as long as the machine is infected.

Remember, disinfection is as easy as disconnecting the machine from the internet and rebooting it.

Unfortunately there might be lots of overwritten machines waiting at workplaces on Monday morning.

ISS (vendor behind BlackIce) now has a public advisory on this at
http://xforce.iss.net/xforce/alerts/id/167.

 
 

 
 
The Witty network worm outbreak Posted by Mikko @ 10:01 GMT

We've agreed to call this new network worm "Witty", based on the texts inside the worm ("insert witty message here"). For details, see the virus description.

No voi Witty

Do note that this is a completely automatic network worm. It never sends any emails, and it can infect vulnerable machines without any human help. It spreads as in-memory process, so infected machines can be cleaned temporarily by rebooting them.

This worm has similarities to the infamous Slammer worm, which used a hole in MSSQL systems to spread and caused massive amounts of network traffic in January 2003.

Slammer was 376 bytes in size while Witty is 909. So both are tiny. Both never hit the hard drive. Both use UDP packets to spread. And both were distributed around the same time. Slammer was released at 05:31 GMT on Saturday 25th of January 2003. The first captured infection of Witty we are aware of was at 04:45 today, Saturday the 20th of March 2004.

F-Secure's firewall applications automatically block this worm without any updates. They will also filter the UDP traffic generated by the worm.

 
 

 
 
New automatic network worm Posted by Mikko @ 08:52 GMT

A new worm (known so far as "Blackworm") has been found. This one spreads through direct network connections, targetting machines that are running BlackIce security software.

If you're running BlackIce, we recommend disconnecting from the network immediatly and getting the patch from the vendors website on another computer, then transferring it on a massmedia device to the machine for an update.

More information at Incidents.org.

Number of infected computers right now seems to be several thousands. The worm is generating substantial amounts of traffic to random UDP ports (with source port of 4000).

 
 

 
 
Friday, March 19, 2004

 
Mydoom.F and RIAA Posted by Mikko @ 19:18 GMT

Mydoom.F - which was found a month ago - has been gaining ground over the last weeks. It's now in the the Top 10 of current virus threats. This virus also runs a sustained DDoS attack against the website of Recording Industy Association of America at www.riaa.com.

This site has been down since Wednesday. There is some speculation on whether this is caused by Mydoom.F or not.

The same worm also attacks www.microsoft.com, which is doing just fine.

 
 

 
 
Thursday, March 18, 2004

 
More Bagles today Posted by Katrin @ 12:27 GMT

Two more Bagle variants were found today - Bagle.S and Bagle.T. They are similar to Bagle.Q. For more information see:

http://www.f-secure.com/v-descs/bagle_q.shtml

 
 

 
 
F-Netsky tool released Posted by Alexey @ 11:02 GMT

F-Secure Corporation released the special disinfection tool to clean all known at the moment W32/Netsky worm variants. The tool is available in EXE, ZIP and JAR format. You can download the F-Netsky tool from our ftp site:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.jar

Disinfection instructions can be found here:

ftp://ftp.f-secure.com/anti-virus/tools/f-netsky.txt

 
 

 
 
A massmailer which doesn't mail itself Posted by Mikko @ 09:07 GMT

These new Bagles (by the way, one more variant was just found, named Bagle.S) are using a new technique to spread. They do not send themselves in email attachments like you would expect. Instead, they send emails which contain a HTML exploit.

When read, this HTML code will cause the recipients machine to download and run an executable from a web server...a web server which is installed to home machines infected by one of the previous Bagles. These worms contain lists of hundrerds of IP addresses which are running such a web server.

Most firewall programs would prevent running such a web server on a workstation (for example Windows XP's default firewall will do if it is activated). But the party behind Bagle seems to be only using machines which are not behind such firewalls.

As the HTML exploit runs automatically (on unpatched systems) when the email is read, users don't have to doubleclick anywhere to get infected - reading or previewing the email is enough.

Downloading the attachment from a website is not a totally new technique. In particular, an email worm called Fagled did this already in 2002. For more information, see http://www.f-secure.com/v-descs/fagled.shtml

 
 

 
 
Bagle.Q and Bagle.R found Posted by Gergo @ 07:37 GMT

Two new variants of the Bagle family have been found. They are really really similar to each other, most likely the second one is a minor, recompiled variant.

More information will follow soon.

 
 

 
 
Wednesday, March 17, 2004

 
Netsky.O tries to defame F-Secure Posted by Mikko @ 07:53 GMT

Not a big surprise: a new Netsky variant has been found. This one doesn't seem to be too widespread (we only have one report so far, from Australia). But it's nasty, as it sends messages with fake announcments from antivirus vendors claiming the attachment is scanned and declared clean - when it's not.

This variant names several antivirus vendors, including us.

Here's an example of an email sent by Netsky.O:


From: random-email-address
To: recipients-email-address
Subject: Re: Mail Authentification


Please authenticate the secure message.


+++ Attachment: No Virus found
+++ F-Secure AntiVirus - You are protected
+++ www.f-secure.com

Netsky.O


We have just shipped detection for this variant.

Description is available at

http://www.f-secure.com/v-descs/netsky_o.shtml

 
 

 
 
Tuesday, March 16, 2004

 
Update on the war between Bagle and Netsky worm authors. Posted by Alexey @ 14:44 GMT

After checking the latest Bagle and Netsky worm variants we have come to the following conclusions:

1. Now the Netsky worm is most likely manufactured by another person/group. A message inside the latest Netsky.N worm indicates that a new person/group has acquired the source code of the worm and they are going to continue the war against Bagle and Mydoom authors. The war was started by the original Netsky worm authors.

2. The latest variants of Bagle worm started to kill processes of Netsky worms and began to delete Netsky's startup keys from System Registry. This indicates that the person/group behind Bagle worm has joined the war against Netsky. The latest Bagle variant deletes startup keys of many Netsky worm variants and kills a process of at least one Netsky variant - Netsky.M.

Bottom line: In the future we are most likely going to see new Netsky and Bagle variants regularly until people creating them give up or get arrested.

 
 

 
 
NetSky is at N Posted by Gergo @ 07:54 GMT

A new variant in the NetSky family has been found. The new variant is very similar to the previous ones with one exeption: it adds a fake "No Virus Found by " note to the end of the messages it sends.

A description has been posted to

http://www.f-secure.com/v-descs/netsky_n.shtml

 
 

 
 
Monday, March 15, 2004

 
Bagle/Mydoom/Netsky history Posted by Mikko @ 12:18 GMT

Here's an updated chart on how these virus families have evolved over the last weeks.

DEVELOPMENT OF THE BAGLE, MYDOOM AND NETSKY VIRUS FAMILIES

Sun 18.January 2004Bagle.A
Tue 27.January 2004Mydoom.A
Wed 28.January 2004Mydoom.B
Week 8 
Mon 16.February 2004Netsky.A
Mon 16.February 2004Mydoom.E
Tue 17.February 2004Bagle.B
Wed 18.February 2004Netsky.B
Week 9 
Tue 24.February 2004Mydoom.F
Wed 25.February 2004Netsky.C
Fri 27.February 2004Bagle.C
Sat 28.February 2004Bagle.D
Sat 28.February 2004Bagle.E
Sun 29.February 2004Netsky.D
Week 10 
Mon 1.March 2004Bagle.F
Mon 1.March 2004Bagle.G
Mon 1.March 2004Netsky.E
Tue 2.March 2004Bagle.H
Tue 2.March 2004Bagle.I
Tue 2.March 2004Netsky.F
Tue 2.March 2004Bagle.J
Wed 3.March 2004Mydoom.G
Wed 3.March 2004Bagle.K
Wed 3.March 2004Mydoom.H
Thu 4.March 2004Netsky.G
Fri 5.March 2004Netsky.H
Sun 7.March 2004Netsky.I
Week 11 
Mon 8.March 2004Netsky.J
Mon 8.March 2004Netsky.K
Tue 9.March 2004Bagle.L
Wed 10.March 2004Netsky.L
Thu 11.March 2004Netsky.M
Thu 11.March 2004Bagle.M
Sat 13.March 2004Bagle.N
Sat 13.March 2004Bagle.O
Week 12 
Mon 15.March 2004Bagle.P
... 


 
 

 
 
Bagle.P has been found Posted by Gergo @ 09:50 GMT

A new variant of the Bagle family has been found. This one got the variant letter P.

This variant is almost identical to Bagle.N with the following differences:

- Some of the message bodies have been reworded

- The internal encryption algorithm has changed slightly

A short description has been posted to

http://www.f-secure.com/v-descs/bagle_p.shtml

 
 

 
 
Saturday, March 13, 2004

 
Bagle.O found Posted by Ero @ 23:13 GMT


Yet another one. We have generic detection for this variant.

 
 

 
 
More on Bagle.N Posted by Mikko @ 22:30 GMT

This new Bagle has new features, and it seems to be spreading surprisingly fast for a new email worm to be found during a weekend.

Once again it sends itself in variable emails as PIF or EXE attachments.

Icon for the EXE resembles the icon for a Windows TrueType font:

Icon

This time the executable can be packed inside a ZIP or RAR archive, which can be encrypted with a password. Password can be shown as a BMP/GIF/JPG image, like this:

Password: Password

This is of course an attempt to make the work of gateway-based scanners harder (after we and many other vendors started detecting password-protected ZIP files sent by previous Bagles).

Interestingly, underneath the packing and encryption, there's an ASCII graphic picture...of a butterfly. Along with some texts we won't be repeating here.

Butterfly


 
 

 
 
Bagle.N found in the wild Posted by Katrin @ 20:36 GMT

We thought we will have a quiet weekend but a new Bagle variant was found in the wild - Bagle.N. More information will be available here:

http://www.f-secure.com/v-descs/bagle_n.shtml

 
 

 
 
Thursday, March 11, 2004

 
New Bagle.M found Posted by Alexey @ 15:25 GMT

A new Bagle.M variant has been found 15 minutes ago. It drops a new Mitglieder.T proxy trojan and an loader component for it. This variant is similar to the previous Bagle.L. More information is available here:

http://www.f-secure.com/v-descs/bagle_m.shtml

 
 

 
 
These new Netskies... Posted by Mikko @ 08:56 GMT

We have reason to believe the two latest Netsky variants are not written by the original viruswriter behind this family. As he earlier claimed to stop distributing new variants and instead release the source code of the worm, this might be exactly what happened. After that, third parties have modified the source code and released new variants based on it.

This is just speculation, and we're not sure if the source code of Netsky has been posted publicly. At least we haven't seen it.

 
 

 
 
Next in the line: NetSky.M Posted by Gergo @ 07:43 GMT

Another variant of the NetSky family has been found.

For more information a brief description can be found from:

http://www.f-secure.com/v-descs/netsky_m.shtml

 
 

 
 
Wednesday, March 10, 2004

 
One more Netsky.L found Posted by Katrin @ 16:21 GMT

Yet another new Netsky variant was found - Netsky.L. This time there are no comments to Bagle and Mydoom so hopefully the war is over.

For more information see the description:

http://www.f-secure.com/v-descs/netsky_l.shtml


 
 

 
 
Cidra.D: Yet another trojan proxy... Posted by Ero @ 15:41 GMT


We got reports today of Cidra.D, yet another in a long list of trojan proxies aimed at relaying spam from unaware users' computers.

Cidra.D was spammed, lacking a mechanism to spread by itself. Worth noting is the fact that the worm's proxying feature could be use to spread newer copies of it or other malware.

 
 

 
 
Several new Agobot backdoor variants found Posted by Alexey @ 14:10 GMT

Recently several new Agobot backdoor variants were discovered. The most widespread at the moment is Agobot variant that we detect as 'Backdoor.Agobot.fo'. We also got infection reports about another Agobot variant: 'Backdoor.Agobot.ev'. Both these variants have 'phat' strings in them. Additionally in 'Agobot.fo' variant the 'Agobot' string is changed to 'Phatbot'. This indicates that both these variants were most likely made by the same person or group.
 
 

 
 
Tuesday, March 9, 2004

 
More Bagle activity Posted by Mikko @ 13:00 GMT

Well, we didn't see a new Bagle variant for six days...but a new one was found today. This one is a minor variant repacked with ASPack. Many antivirus programs will detect it automatically, typically as Bagle.K.

Then we found something else. Something which resembles members of the Bagle family a lot, but which does not spread. So it's not a virus. It's apparently written by the same group though.

This thingie drops the Mitglieder proxy trojan, which has been used by spammers several times in the past. We're not sure how this new Bagle look-a-like is actually spreading, as it contains no replicating code. It might simply be spammed as email attachments - most likely from machines which were previously infected.

The Mitglieder trojan acts as an interesting link between the Bagle and Mydoom families. The first known version of this proxy trojan was used by Bagle.A in January 2004. Bagle.A downloaded it from a web site and installed it to infected computers

Around the same time, Mydoom.A was infecting machines around the world, leaving a small backdoor to each infected computer. Several days after the initial outbreak someone who knew how to operate the backdoor portscanned large parts of the internet address space and installed another version of the Mitglieder trojan to these machines - and started sending spam through them.

The fact that both Bagle and Mydoom families are utilizing the Mitglieder trojan might indicate that in fact it's a single group behind both of them. It might be different programmers, but the same organization.

The way these worms use Mitglieder is the next logical step from the way earlier spam-related worms such as Lovgate and Sobig used Wingate. Wingate proxy server is commercial network software, but many worms have used it in violation of its license agreement to install hidden proxy functionality. Some trojans such as Migmaf carried an embedded copy of it within itself.

In fact, I wouldn't be surprised if all of these worms would be connected to each other. The great Lovgate-Sobig-Bagle-Mydoom conspiracy!

 
 

 
 
Monday, March 8, 2004

 
Virus War History Posted by Mikko @ 22:29 GMT

If we look at the current virus outburst as a whole, variants of the three main virus families (Bagle, Mydoom and Netsky) have been released in three bursts: first in the end of January - this is when the infamous, SCO-attacking Mydoom.A was released - then in the middle of February - when first Netsky was found - and then in the end of February. This last burst is still continuing, as can be seen from the table below.

The different virus families are colour-coded.

DEVELOPMENT OF THE BAGLE, MYDOOM AND NETSKY VIRUS FAMILIES

Fri 23.Jan.2004Bagle.A
Tue 27.Jan.2004Mydoom.A
... 
Mon 16.Feb.2004Netsky.A
Mon 16.Feb.2004Mydoom.E
Tue 17.Feb.2004Bagle.B
Wed 18.Feb.2004Netsky.B
... 
Tue 24.Feb.2004Mydoom.F
Wed 25.Feb.2004Netsky.C
Fri 27.Feb.2004Bagle.C
Sat 28.Feb.2004Bagle.D
Sat 28.Feb.2004Bagle.E
Sun 29.Feb.2004Netsky.D
Mon 1.Mar.2004Bagle.F
Mon 1.Mar.2004Bagle.G
Mon 1.Mar.2004Netsky.E
Tue 2.Mar.2004Bagle.H
Tue 2.Mar.2004Bagle.I
Tue 2.Mar.2004Netsky.F
Tue 2.Mar.2004Bagle.J
Wed 3.Mar.2004Mydoom.G
Wed 3.Mar.2004Bagle.K
Wed 3.Mar.2004Mydoom.H
Thu 4.Mar.2004Netsky.G
Fri 5.Mar.2004Netsky.H
Sun 7.Mar.2004Netsky.I
Mon 8.Mar.2004Netsky.J
Mon 8.Mar.2004Netsky.K
... 

 
 

 
 
Netsky.K found Posted by Mikko @ 21:59 GMT

One more Netsky variant found, although it's a bit unclear if this was actually distributed before Netsky.J (which we found earlier today). This new 22016 byte long variant seems to be spreading a bit more than some of the other recent variants.

Typical message sent by this variant could look like this:

   From: spoofed-address
To: random-address
Subject: Re: Your music

See the attached file for details.
   Attachment: mp3music.pif

 
 

 
 
New Netsky found, and they got to the J Posted by Ero @ 14:58 GMT

A new variant of Netsky has been found. With no major new features it does continue the flame war among malware writers. Apart from the usual childish rantings, they also promise this will be the last version of it.

Let's see if they can live up to their word.

 
 

 
 
Sober.D worm found Posted by Katrin @ 06:19 GMT

A new Sober.D worm was found in Germany early this morning. Similar to previous Sober variants it sends emails in both German and English. Sober.D pretends to be a MS update to remove Mydoom. The infected email comes from a fake Microsoft address. The attachment is exe or a zip archive.

More information is available here:

http://www.f-secure.com/v-descs/sober_d.shtml

 
 

 
 
Sunday, March 7, 2004

 
Jigsaw Piece - 079 Posted by Mikko @ 20:00 GMT

Jigsaw
 
 

 
 
Netsky.I found Posted by Mikko @ 16:04 GMT

Again, there seems to be a new Netsky variant going around. We'll post more information when we get it.

As an email worm it probably won't become problematic during the weekend, as people don't read their mail during weekends as much.

 
 

 
 
Saturday, March 6, 2004

 
DNS attempts by SCO Posted by Mikko @ 19:43 GMT

Going back to check the DNS history of www.sco.com, we noticed that SCO had already attempted once to bring back the site.

This happened a week earlier, on Friday the 27th of February. Back then, the site was in DNS from around 06:16 to 06:47 GMT. Then the site was out of DNS until Friday the 5th of March.

Perhaps the DDoS load from Mydoom-infected machines was still too heavy and they decided to wait another week.

---[2004-02-27 08:16:54 ] Querying round started.
Using domain server:
Name: NS.CALDERASYSTEMS.COM
Address: 216.250.130.1#53
www.sco.com. has address 216.250.128.12

 
 

 
 
Domain www.sco.com is back Posted by Mikko @ 11:28 GMT

Mydoom.A worm created a large-scale distributed denial-of-service attack against the www.sco.com domain between February 1st and February 12th. As many infected computers had their clocks set wrong, the attack continued well after the expiration date.

As a result, SCO has kept the www.sco.com domain out of DNS.

But now they brought it back, and it is again operational. This change happened on Friday the 5th of March around 06:01 GMT according to our monitoring system.

[c:\]host www.sco.com
www.sco.com has address 216.250.128.12

[c:\]host sco.com
sco.com has address 216.250.128.21

 
 

 
 
Friday, March 5, 2004

 
One more new NetSky Posted by Katrin @ 10:52 GMT

It has been quiet for last 22 hours. We just got a new NetSky.H variant. With the current updates, we detect it as a variant of NetSky.F, and we will release exact detection shortly:

http://www.f-secure.com/v-descs/netsky_h.shtml

 
 

 
 
Thursday, March 4, 2004

 
Icons displayed by latest Mydoom variants Posted by Ero @ 15:09 GMT

The latest known variants of Mydoom, G and H, display the following icons, hoping that people's curiosity will make them click and therefore execute the worm.

mydoom_icons (6k image)

 
 

 
 
RSS feed Posted by Gergo @ 14:06 GMT

An RSS feed of the weblog is available at

http://www.f-secure.com/weblog/weblog.rdf

The feed is RSS version 0.91 in RDF format.

Please consider this feature to be beta quality at the moment. All comments and feedback are welcome through the contact address.

 
 

 
 
About the team Posted by Mikko @ 13:42 GMT

Since we started out weblog, we've received several questions about the people behind it, and about our antivirus research team in general.

Well, we are a team of nine humans and one monkey.

For more background info, we suggest you take a look at a recent Wired Article on us. It even includes a group photo of the team.

Although the group picture is missing the monkey. So we'll post a picture of her here:

Our monkey


 
 

 
 
The war continues Posted by Alexey @ 12:01 GMT

Another NetSky worm variant - NetSky.G was found on 4th of March 2004. This variant spreads itself in e-mails as an executable attachment.

This worm contains another insulting message for the authors of Bagle and Mydoom worms and a proposal to meet in person in some location in the USA. The location name is encrypted.

Like its previous variants, NetSky.G tries to uninstall Bagle worm from an infected computer.

 
 

 
 
Wednesday, March 3, 2004

 
Fueling the fire? Posted by Mikko @ 16:50 GMT

We've been thinking about the situation, and decided that describing the details of the current fight between Bagle & Mydoom vs Netsky might only make the situation worse.

So we're going to try this: we'll limit the detail a bit on what we actually find from the internals of the related viruses we analyse. There's no need for us to operate as some kind of forum for the virus writers to discuss.

Lets see if this would change the situation at all.

We'd be interested in hearing your thoughts on this too. As usual, feel free to contact us:

 
 

 
 
Netsky - Bagle Posted by Katrin @ 12:22 GMT

A question: When the war will stop?
Answer: When Netsky stops removing Bagle.

A question: When this will happen?
Answer: Somewhere in the future when (if ever) virus authors realize that there is no real winner in this battle.

For more information on how Netsky removes Bagle see the description of Netsky.F

 
 

 
 
We're going to run out of letters Posted by Mikko @ 10:08 GMT

During the last hour or so, a new variant was found of each of the three active virus families: Netsky, Bagle and Mydoom!

If I get this right, we're now at:

- Netsky.F: http://www.f-secure.com/v-descs/netsky_f.shtml
- Bagle.K: http://www.f-secure.com/v-descs/bagle_k.shtml
- Mydoom.H: http://www.f-secure.com/v-descs/mydoom_h.shtml

And probably there's more to come.

 
 

 
 
Virus War: Netsky vs. Bagle 6:10 Posted by Katrin @ 09:10 GMT

We are living in an interesting time. A new Nesky.F was just found. This one contains the following message to Bagle:

Skynet AntiVirus - Bagle - you are a looser!!!"

For more information see here:

http://www.f-secure.com/v-descs/netsky_f.shtml

 
 

 
 
Zipped attachments Posted by Mikko @ 08:34 GMT

Many, many organizations seem to have started dropping all incoming ZIP file attachments. Unfortunately it seems that a ZIP files are becoming as risky as executables. Especially under Windows XP the distinction between a ZIP archive and any folder is just disappearing.

Lame screenshot

 
 

 
 
Bagle.J's social engineering Posted by Mikko @ 00:47 GMT

Bagle is getting more and more clever about the messages it sends. The latest variant can send widely variable mails, referencing the recipients' company or domain name directly.

For example, if your email address is BOB@ACME.COM, you might get a message like this:
Bagle.J's Message

 
 

 
 
Tuesday, March 2, 2004

 
More and more Posted by Mikko @ 22:23 GMT

This is getting ridiculous - we've just found Bagle.J (10th variant) - and Mydoom.G! Previous Mydoom variant was found almost two weeks ago, on February 20th.

Bagle.J spreads also in password protected ZIPs but uses a Wordpad icon instead of the folder icon.

nbaglej

Bagle.J includes this hidden message:

"Hey, NetSky, f*ck off you b*tch, don't ruine our bussiness, wanna start a war ?"

While Mydoom.G includes this:

"to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app."

nmydoomg

So apparently the authors of Bagle and Mydoom wanted to send a message to the authors of Netsky.

Links to the descriptions:
Bagle.J
Mydoom.G

 
 

 
 
Viruses and...sauna Posted by Mikko @ 19:00 GMT

Bob Sullivan has an interesting (and timely) article on the recent outburst of viruses...and its effects on antivirus researchers at: http://msnbc.msn.com/id/4422372

Thanks, Bob...

 
 

 
 
Bagle distribution continues Posted by Katrin @ 10:51 GMT

Yet another new Bagle.I was found earlier today. This one is similar to Bagle.H but uses different packing. More information is available here:

http://www.f-secure.com/v-descs/bagle_i.shtml

 
 

 
 
NetSky.D still going strong Posted by Jarno @ 07:12 GMT

We had some questions about our virus statictics and how the graph seems drop on this morning. The drop is due to the fact that it is still early morning here, and there hasn't been too many samples for this day (yet). Unfortunately the graph will pick on on the next couple hours.

Currently the NetSky.D covers about 67% of all samples we see.

Virus statistics

 
 

 
 
Monday, March 1, 2004

 
More worms today Posted by Katrin @ 17:25 GMT

One more new Netsky.E was found from the field:

http://www.f-secure.com/v-descs/netsky_e.shtml

and

Yet another new Bagle.H just arrived:

http://www.f-secure.com/v-descs/bagle_h.shtml

What's next...

 
 

 
 
Update on NetSky.D statistics Posted by Jarno @ 13:57 GMT

NetSky.D has been spreading at alarming rate at the moment it consists 43,2% of samples seen by F-Secure.
More information on virus statistics.

As a result, we have just upgraded Netsky.D to a Level 1 Alert - the highest we have.

This is already the fourth Level 1 Alert this year. Seems to be a bad year.

 
 

 
 
NetSky.D plays sound on activation. Posted by Jarno @ 12:31 GMT

In addition to other payload NetSky.D plays sound from PC speaker.
So you know what to do if you hear this sound.


Wav sample of the sound

 
 

 
 
Lots of activity Posted by Mikko @ 11:49 GMT

In the middle of all these new Bagle variants, a new Netsky variant (D) has been found as well, and it seems to be spreading fast.

For more information see:

http://www.f-secure.com/v-descs/netsky_d.shtml



 
 

 
 
Bagle.F and .G upgraded to Radar 2 Posted by Katrin @ 10:02 GMT

We upgraded Bagle.F and Bagle.G to Radar 2. For more information see:

http://www.f-secure.com/v-descs/bagle_f.shtml

 
 

 
 
Bagle.F spreading faster Posted by Mikko @ 07:57 GMT

Bagle.F is going around at the moment. Apparently the trick with encrypted ZIP files is working and enables to virus to enter corporate networks better than normal attachments.

Also, the F variant uses a deceiving icon for the infected attachments - they look like folders:

2 (55k image)