March 1st, 2004 05:46 PM
A internal update from a company I am invovled in
This is something that came over the internal email at a company I work for... I googled to try to find the source... was unable, so sorry I couldnt list the source... but this just covers viral activitys seen over the weekend. Just a heads up. Please dont flame me for cut and paste, or posting without a link - I spent 5 min trying to find it....
Looks like theres 3 quotes from different companies in there...
A barrage of Bagle worm variants, along with a new Netsky worm,
kept up many a virus researcher busy this weekend.
Bagle-C appeared late on Friday and was followed by four other
variants in quick succession. "It appeared the writer was monitoring
the antivirus vendors and, when detection was added, he changed
the worm," said Mikko Hypponen, manager of antivirus research for
Finland-based F-Secure Corp.
Just this morning, Netsky-D started spreading quickly. In terms of
social engineering, the new Netsky variant is similar to its brethren.
It uses a single word or a short phrase for its subject lines and message
The worm attached to the messages is a program information file
(with a .pif extension). This kind of file normally is used to help Windows
run non-Windows programs. Most people probably don't realize that such
files can contain executable code and that they are becoming increasingly
popular with worm writers.
There aren't too many differences among Bagle-C, -D and -E. They used
varying subject lines and message bodies. Bagle-F and -G, however, use
a new trick; they travel as password-protected .zip files, with the password
in the message body. "That technique can get around ISP or webmail
scanning, as the scanner wouldn't be able to look inside the protected file,"
said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
But such an approach has a major weakness, Cluley said. "It would require
a little more user interaction, as they would need to enter the password to
open the file," he said.
The Bagle variants all send copies of themselves using self-contained SMTP
engines. They spoof the sender's address so it's hard to detect which machine
actually sent the message. The worm finds e-mail addresses to send itself to
by scanning infected systems.
The variants also use a variety of icons to lull recipients into thinking the
attached worms are legitimate files. For example, Bagle-F appears to be
a file folder. Bagle-E appears as a text file, and Bagle-C seems to be an
Excel file. Savvy users will notice, however, that the file extensions don't
reflect those file formats.
The Bagle variants also open up TCP port 2745 on infected machines. The
open port tries to notify the worm writer that it's ready to accept instructions.
The multitude of worms that appeared over the weekend may leave some
security pros dizzy -- but worm outbreaks don't have to have that effect, said
Ian Hameroff, director of eTrust security products for Islandia, N.Y.-based
Computer Associates International Inc. "People shouldn't treat malware in
an episodic fashion."
For example, blocking executable file types such as .exe, .pif and .scr would
block many viruses and worms, including Netsky-D. ".Pifs haven't been a
relevant file extension since the Windows 3x days," he said.
Traditionally, companies have resisted blocking .zip files, because they do
have a legitimate business purpose. Given the recent use of the file format
by worm writers, it may be time for companies to strongly consider blocking
The Netsky variants "are further examples that worms are finding success
in using .zip file extensions, and this file extension can no longer be known
as a safe, acceptable file to allow through e-mail gateways," said Bruce
Hughes, director of malicious code research at Herndon, Va.-based
The ark was built by amatures...
The Titanic was built by professionals.