Yet another day, another new Netsky has been found. This time it's a stripped down modification of the last variant - at least 80% of the same functionality is kept.
The Q variant of Netsky (which was found yesterday) makes the infected PCs play random beeps today. Which can be very annoying. To hear what the beeping sounds like, click here.
Here's an example of what messages sent by Netsky.Q can look like:
CAIDA has released an interesting paper on the Spread of the Witty worm. Their analysis shows several interesting facts, including that the worm apparently infected 12 000 computers, and that it was mostly likely spread using a hitlist.
I would think the figure of 12 000 infected computers is on the low side. Many of the infected machines managed to corrupt themselves almost instantly, before they had much chance to make themselves "visible" to the net. Also, many infected computers were behind other firewalls, which could have prevented them from scanning others. And there are several unconfirmed reports citing fairly large internal infections in corporate environments.
CAIDA is also the home of one of the all-time-favourites: a world map MOV animation showing 24 hours of the spread of the Code Red worm in July 2001.
A new Sober.E worm was found spreading in Germany on Sunday March 28th, 2004. The worm replaces 'From:' filed so the infected email looks like it comes from @gmx.net or @gmx.de. The size of the attachment is 30720.
The Snapper worm shouldn't be a problem any more though, as it relies on the existance of a hacked webserver in USA. We contacted the ISP behind it yesterday and the server seems to be down now (we haven't received confirmation though). As long as it's down, the worm won't work.
The new Netsky.P variant was found on March 21st, 2004. It spreads itself as a dropper that copies itself to Windows folder and then extracts the main worm's file there. Netsky.P is functionally similar to previous variants.
F-Secure Anti-Virus detects Netsky.P worm with the latest updates. More information in the virus description.
The Witty worm is going around fast...but only affects users running BlackIce software. However, on infected machines the worm seems to do really bad damage, overwriting random parts of the hard drive as long as the machine is infected.
Remember, disinfection is as easy as disconnecting the machine from the internet and rebooting it.
Unfortunately there might be lots of overwritten machines waiting at workplaces on Monday morning.
We've agreed to call this new network worm "Witty", based on the texts inside the worm ("insert witty message here"). For details, see the virus description.
Do note that this is a completely automatic network worm. It never sends any emails, and it can infect vulnerable machines without any human help. It spreads as in-memory process, so infected machines can be cleaned temporarily by rebooting them.
This worm has similarities to the infamous Slammer worm, which used a hole in MSSQL systems to spread and caused massive amounts of network traffic in January 2003.
Slammer was 376 bytes in size while Witty is 909. So both are tiny. Both never hit the hard drive. Both use UDP packets to spread. And both were distributed around the same time. Slammer was released at 05:31 GMT on Saturday 25th of January 2003. The first captured infection of Witty we are aware of was at 04:45 today, Saturday the 20th of March 2004.
F-Secure's firewall applications automatically block this worm without any updates. They will also filter the UDP traffic generated by the worm.
A new worm (known so far as "Blackworm") has been found. This one spreads through direct network connections, targetting machines that are running BlackIce security software.
If you're running BlackIce, we recommend disconnecting from the network immediatly and getting the patch from the vendors website on another computer, then transferring it on a massmedia device to the machine for an update.
Number of infected computers right now seems to be several thousands. The worm is generating substantial amounts of traffic to random UDP ports (with source port of 4000).
Mydoom.F - which was found a month ago - has been gaining ground over the last weeks. It's now in the the Top 10 of current virus threats. This virus also runs a sustained DDoS attack against the website of Recording Industy Association of America at www.riaa.com.
This site has been down since Wednesday. There is some speculation on whether this is caused by Mydoom.F or not.
The same worm also attacks www.microsoft.com, which is doing just fine.
F-Secure Corporation released the special disinfection tool to clean all known at the moment W32/Netsky worm variants. The tool is available in EXE, ZIP and JAR format. You can download the F-Netsky tool from our ftp site:
These new Bagles (by the way, one more variant was just found, named Bagle.S) are using a new technique to spread. They do not send themselves in email attachments like you would expect. Instead, they send emails which contain a HTML exploit.
When read, this HTML code will cause the recipients machine to download and run an executable from a web server...a web server which is installed to home machines infected by one of the previous Bagles. These worms contain lists of hundrerds of IP addresses which are running such a web server.
Most firewall programs would prevent running such a web server on a workstation (for example Windows XP's default firewall will do if it is activated). But the party behind Bagle seems to be only using machines which are not behind such firewalls.
As the HTML exploit runs automatically (on unpatched systems) when the email is read, users don't have to doubleclick anywhere to get infected - reading or previewing the email is enough.
Downloading the attachment from a website is not a totally new technique. In particular, an email worm called Fagled did this already in 2002. For more information, see https://www.f-secure.com/v-descs/fagled.shtml
Two new variants of the Bagle family have been found. They are really really similar to each other, most likely the second one is a minor, recompiled variant.
Not a big surprise: a new Netsky variant has been found. This one doesn't seem to be too widespread (we only have one report so far, from Australia). But it's nasty, as it sends messages with fake announcments from antivirus vendors claiming the attachment is scanned and declared clean - when it's not.
This variant names several antivirus vendors, including us.
Here's an example of an email sent by Netsky.O:
From: random-email-address To: recipients-email-address Subject: Re: Mail Authentification
Please authenticate the secure message.
+++ Attachment: No Virus found +++ F-Secure AntiVirus - You are protected +++ www.f-secure.com
After checking the latest Bagle and Netsky worm variants we have come to the following conclusions:
1. Now the Netsky worm is most likely manufactured by another person/group. A message inside the latest Netsky.N worm indicates that a new person/group has acquired the source code of the worm and they are going to continue the war against Bagle and Mydoom authors. The war was started by the original Netsky worm authors.
2. The latest variants of Bagle worm started to kill processes of Netsky worms and began to delete Netsky's startup keys from System Registry. This indicates that the person/group behind Bagle worm has joined the war against Netsky. The latest Bagle variant deletes startup keys of many Netsky worm variants and kills a process of at least one Netsky variant - Netsky.M.
Bottom line: In the future we are most likely going to see new Netsky and Bagle variants regularly until people creating them give up or get arrested.
A new variant in the NetSky family has been found. The new variant is very similar to the previous ones with one exeption: it adds a fake "No Virus Found by " note to the end of the messages it sends.
This new Bagle has new features, and it seems to be spreading surprisingly fast for a new email worm to be found during a weekend.
Once again it sends itself in variable emails as PIF or EXE attachments.
Icon for the EXE resembles the icon for a Windows TrueType font:
This time the executable can be packed inside a ZIP or RAR archive, which can be encrypted with a password. Password can be shown as a BMP/GIF/JPG image, like this:
Password:
This is of course an attempt to make the work of gateway-based scanners harder (after we and many other vendors started detecting password-protected ZIP files sent by previous Bagles).
Interestingly, underneath the packing and encryption, there's an ASCII graphic picture...of a butterfly. Along with some texts we won't be repeating here.
A new Bagle.M variant has been found 15 minutes ago. It drops a new Mitglieder.T proxy trojan and an loader component for it. This variant is similar to the previous Bagle.L. More information is available here:
We have reason to believe the two latest Netsky variants are not written by the original viruswriter behind this family. As he earlier claimed to stop distributing new variants and instead release the source code of the worm, this might be exactly what happened. After that, third parties have modified the source code and released new variants based on it.
This is just speculation, and we're not sure if the source code of Netsky has been posted publicly. At least we haven't seen it.
We got reports today of Cidra.D, yet another in a long list of trojan proxies aimed at relaying spam from unaware users' computers.
Cidra.D was spammed, lacking a mechanism to spread by itself. Worth noting is the fact that the worm's proxying feature could be use to spread newer copies of it or other malware.
Recently several new Agobot backdoor variants were discovered. The most widespread at the moment is Agobot variant that we detect as 'Backdoor.Agobot.fo'. We also got infection reports about another Agobot variant: 'Backdoor.Agobot.ev'. Both these variants have 'phat' strings in them. Additionally in 'Agobot.fo' variant the 'Agobot' string is changed to 'Phatbot'. This indicates that both these variants were most likely made by the same person or group.
Well, we didn't see a new Bagle variant for six days...but a new one was found today. This one is a minor variant repacked with ASPack. Many antivirus programs will detect it automatically, typically as Bagle.K.
Then we found something else. Something which resembles members of the Bagle family a lot, but which does not spread. So it's not a virus. It's apparently written by the same group though.
This thingie drops the Mitglieder proxy trojan, which has been used by spammers several times in the past. We're not sure how this new Bagle look-a-like is actually spreading, as it contains no replicating code. It might simply be spammed as email attachments - most likely from machines which were previously infected.
The Mitglieder trojan acts as an interesting link between the Bagle and Mydoom families. The first known version of this proxy trojan was used by Bagle.A in January 2004. Bagle.A downloaded it from a web site and installed it to infected computers
Around the same time, Mydoom.A was infecting machines around the world, leaving a small backdoor to each infected computer. Several days after the initial outbreak someone who knew how to operate the backdoor portscanned large parts of the internet address space and installed another version of the Mitglieder trojan to these machines - and started sending spam through them.
The fact that both Bagle and Mydoom families are utilizing the Mitglieder trojan might indicate that in fact it's a single group behind both of them. It might be different programmers, but the same organization.
The way these worms use Mitglieder is the next logical step from the way earlier spam-related worms such as Lovgate and Sobig used Wingate. Wingate proxy server is commercial network software, but many worms have used it in violation of its license agreement to install hidden proxy functionality. Some trojans such as Migmaf carried an embedded copy of it within itself.
In fact, I wouldn't be surprised if all of these worms would be connected to each other. The great Lovgate-Sobig-Bagle-Mydoom conspiracy!
If we look at the current virus outburst as a whole, variants of the three main virus families (Bagle, Mydoom and Netsky) have been released in three bursts: first in the end of January - this is when the infamous, SCO-attacking Mydoom.A was released - then in the middle of February - when first Netsky was found - and then in the end of February. This last burst is still continuing, as can be seen from the table below.
The different virus families are colour-coded.
DEVELOPMENT OF THE BAGLE, MYDOOM AND NETSKY VIRUS FAMILIES
One more Netsky variant found, although it's a bit unclear if this was actually distributed before Netsky.J (which we found earlier today). This new 22016 byte long variant seems to be spreading a bit more than some of the other recent variants.
Typical message sent by this variant could look like this:
From: spoofed-address To: random-address Subject: Re: Your music
A new variant of Netsky has been found. With no major new features it does continue the flame war among malware writers. Apart from the usual childish rantings, they also promise this will be the last version of it.
A new Sober.D worm was found in Germany early this morning. Similar to previous Sober variants it sends emails in both German and English. Sober.D pretends to be a MS update to remove Mydoom. The infected email comes from a fake Microsoft address. The attachment is exe or a zip archive.
Going back to check the DNS history of www.sco.com, we noticed that SCO had already attempted once to bring back the site.
This happened a week earlier, on Friday the 27th of February. Back then, the site was in DNS from around 06:16 to 06:47 GMT. Then the site was out of DNS until Friday the 5th of March.
Perhaps the DDoS load from Mydoom-infected machines was still too heavy and they decided to wait another week.
---[2004-02-27 08:16:54 ] Querying round started. Using domain server: Name: NS.CALDERASYSTEMS.COM Address: 216.250.130.1#53 www.sco.com. has address 216.250.128.12
Mydoom.A worm created a large-scale distributed denial-of-service attack against the www.sco.com domain between February 1st and February 12th. As many infected computers had their clocks set wrong, the attack continued well after the expiration date.
As a result, SCO has kept the www.sco.com domain out of DNS.
But now they brought it back, and it is again operational. This change happened on Friday the 5th of March around 06:01 GMT according to our monitoring system.
[c:\]host www.sco.com www.sco.com has address 216.250.128.12
[c:\]host sco.com sco.com has address 216.250.128.21
It has been quiet for last 22 hours. We just got a new NetSky.H variant. With the current updates, we detect it as a variant of NetSky.F, and we will release exact detection shortly:
The latest known variants of Mydoom, G and H, display the following icons, hoping that people's curiosity will make them click and therefore execute the worm.
Another NetSky worm variant - NetSky.G was found on 4th of March 2004. This variant spreads itself in e-mails as an executable attachment.
This worm contains another insulting message for the authors of Bagle and Mydoom worms and a proposal to meet in person in some location in the USA. The location name is encrypted.
Like its previous variants, NetSky.G tries to uninstall Bagle worm from an infected computer.
We've been thinking about the situation, and decided that describing the details of the current fight between Bagle & Mydoom vs Netsky might only make the situation worse.
So we're going to try this: we'll limit the detail a bit on what we actually find from the internals of the related viruses we analyse. There's no need for us to operate as some kind of forum for the virus writers to discuss.
Lets see if this would change the situation at all.
We'd be interested in hearing your thoughts on this too. As usual, feel free to contact us:
Many, many organizations seem to have started dropping all incoming ZIP file attachments. Unfortunately it seems that a ZIP files are becoming as risky as executables. Especially under Windows XP the distinction between a ZIP archive and any folder is just disappearing.
Bagle is getting more and more clever about the messages it sends. The latest variant can send widely variable mails, referencing the recipients' company or domain name directly.
For example, if your email address is BOB@ACME.COM, you might get a message like this:
This is getting ridiculous - we've just found Bagle.J (10th variant) - and Mydoom.G! Previous Mydoom variant was found almost two weeks ago, on February 20th.
Bagle.J spreads also in password protected ZIPs but uses a Wordpad icon instead of the folder icon.
Bagle.J includes this hidden message:
"Hey, NetSky, f*ck off you b*tch, don't ruine our bussiness, wanna start a war ?"
While Mydoom.G includes this:
"to netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your shitty app."
So apparently the authors of Bagle and Mydoom wanted to send a message to the authors of Netsky.
Bob Sullivan has an interesting (and timely) article on the recent outburst of viruses...and its effects on antivirus researchers at: http://msnbc.msn.com/id/4422372
We had some questions about our virus statictics and how the graph seems drop on this morning. The drop is due to the fact that it is still early morning here, and there hasn't been too many samples for this day (yet). Unfortunately the graph will pick on on the next couple hours.
Currently the NetSky.D covers about 67% of all samples we see.
Bagle.F is going around at the moment. Apparently the trick with encrypted ZIP files is working and enables to virus to enter corporate networks better than normal attachments.
Also, the F variant uses a deceiving icon for the infected attachments - they look like folders:
