New versions of Bagle and Netsky worms roil Internet

IDG News Service - Serial worm outbreaks continued today as new variants of the Bagle and Netsky e-mail worms spread on the Internet.
Since yesterday, antivirus companies have identified two new versions of the Bagle worm, dubbed Bagle.H and Bagle.I, and a new version of the Netsky worm, Netsky.E, just hours after five new versions of Bagle and Netsky.D, a virulent new take on that worm, were released, antivirus companies said (see story).
The new worm versions were rated "low" threats by Symantec Corp., indicating that they were spreading slowly. However, Network Associates Inc.'s McAfee antivirus unit increased its rating of Bagle.H from a low to a "medium" threat, based on an increased number of submissions from customers and other Internet users, said Brian Mann, outbreak manager at NAI's McAfee Antivirus Emergency Response Team unit.
NAI researchers received a "couple hundred" Bagle.H submissions, which roughly correlates to hundreds of actual infections, Mann said. That prompted the rating change.
Both new versions of the Bagle worm spread in .zip files that require passwords to open, similar to the Bagle.F and Bagle.G variants that appeared over the weekend. The virus authors provide the password to unlock the .zip file in the e-mail message containing the virus.
Hiding their creation in a password-protected file allows authors to slip the virus by gateway antivirus filters, which can't decode the file to read the signature of the virus inside, said Mann. But some antivirus products can spot the virus by comparing information about the zipped file attachment to known samples of the worm.
Most new versions are modifications of previous versions, with slight changes to the subject lines, message text and attachments used to lure unsuspecting recipients, he said.
Antivirus experts don't know who is to blame for the flood of new worm variants that have appeared since mid-January, when Bagle and Mydoom first surfaced. Competing groups of virus writers may be behind the releases, using worms to battle for Internet turf that is measured in compromised hosts, Mann said.
Earlier versions of the Netsky worm removed copies of the Mydoom virus, which may be evidence of a kind of one-upmanship between virus authors, he said.
While the Bagle worm continued to throw off new variants, Netsky.D kept up an assault on e-mail in-boxes with virus-generated e-mail messages. Symantec updated Netsky.D to a "severe" threat yesterday, citing an "increased rate of submissions."
NAI researchers saw a decrease in the volume of Netsky.D mail today, but they still rate it a medium threat and expect it to "be around fora while," Mann said.
Researchers are also looking at the security risks posed by the viruses, many of which open communications ports on infected systems that can be used to upload malicious software or remotely control the infected systems, he said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.