With new Bagle and Netsky worms, March comes in with a roar

IDG News Service - The saying goes that March comes in like a lion and goes out like a lamb. But with new versions of the Bagle e-mail worm and a virulent new form of the Netsky virus, March's arrival is looking more wormy than leonine.
Five new versions of Bagle and a new variant of Netsky appeared over the weekend and are spreading rapidly on the Internet, generating a huge volume of virus-infected e-mail messages. The new virus versions use a variety of so-called social engineering techniques to fool users. Some new variants also hide in password-protected .zip files to slip past antivirus filters and into users' e-mail boxes, said Graham Cluley, a senior technology consultant at Sophos PLC.
Netsky.D, a new version of the Netsky worm, is believed to be the biggest threat in the group. As of today, Netsky.D was spreading rapidly on the Internet and flooding e-mail servers with infected messages, according to Cluley.
Some of Sophos' customers were receiving thousands of Netsky.D infected messages each hour. That number could increase as U.S. workers return to their desks after the weekend, he said.
The original Netsky worm first appeared on Feb. 16. Since then, three more variants have been released on the Internet. Like its predecessors, Netsky.D scans an infected computer's hard drive for files containing e-mail addresses and then sends copies of itself to those addresses, antivirus companies said.
Netsky.D affects machines running Microsoft Corp.'s Windows operating system and arrives in e-mail messages with randomly generated subject lines such as "Re: Document," "Re: Your picture" or "Re:approved." The Netsky.D worm disguises its payload as a .pif (for program information file) attachment that also has a randomly generated name such as "my_details.pif," "document.pif" or "mp3music.pif."
Unlike its predecessors, NetSky.D doesn't spread on peer-to-peer networks, and doesn't use a .zip file to conceal its contents, according to antivirus company Network Associates Inc.
The gaggle of new Bagle worms that appeared in recent days use many of the same tricks as the new Netsky worms, and some new techniques, according to antivirus companies.
Bagle versions C, D, E, F and G appeared between Saturday and Monday and are variants of the first Bagle worm, which appeared on Jan. 19. All versions target systems running Windows, harvest e-mail addresses from infected machines and open a TCP port to listen for commands from a remote attacker, according to an alert released by computer security company iDefense Inc.
Bagle.C appears to be the most virulent of the bunch. Sophos has received hundreds of reports of messages

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.