Last month the number of viruses and worms caught and destroyed by the LBNL virus wall jumped sharply to 68,676 (compared with 38,849 the previous month). This difference can largely be attributed to a newcomer on the scene, the Sober.S worm, which led all others with 30,266 instances identified and eradicated. The Sober.S worm is another mass-mailing worm that targets Windows systems. If users open an attachment containing this worm and their system’s anti-virus software has not been updated, their system will become infected. Sober.S arrives as a message from a spoofed email address copied from an address book or file in an infected system or from a fictional address such as Ticket@<some domain> or Verlosung@<some domain>, where <some domain> is a randomly chosen domain name. The text can be in English or German. Attachment extensions are always .zip. Once it infects a system, the Sober.S worm displays a message that appears to be from the WinZip Self-Extractor that reads: "Error: CRC Not Complete." Sober.S also creates numerous files in the system folder and system installation folder. To make sure that it runs every time the system boots, this worm adds two values to the infected system's registry. Additionally, Sober.S deletes certain files, especially files used by anti-virus software. It checks the time by connecting to a Network Time Protocol (NTP) server; if the date is May 9 or earlier, this worm creates a Simple Mail Transfer Protocol (SMTP) engine to send a large number of copies of itself to addresses that it has found in the infected system. If the date is May 10 or later, Sober.S attempts to connect to one of a large number of URLs instead.

The Netsky.P worm came in second with 22,151 copies found and deleted (compared with 26,258 the previous month, which was good enough for first place then). Like virtually every other major worm that has surfaced within the last few years, Netsky.P targets Windows systems; it adds files to the system folder and changes the registry to cause the worm code to start every time the infected system starts. This worm also mails copies of itself to addresses that it obtains from address books and other files in systems that it has infected. It generates curiosity-provoking subject lines and messages to lure users into opening the attachment it sends, thereby causing their systems to become infected.

The Netsky.D worm was once again found and eradicated third most frequently. The virus wall destroyed 2,458 instances (up slightly from 2,184 last month) of this worm which, like Netsky.P, has been prevalent for quite a while. Netsky.D is like the other members of the Netsky family in that it targets Windows systems and creates a mail engine that spews messages containing infected attachments with subjects such as "Re: Thanks," "Re: Hi," "Re: Your website," "Re: Your Word file," and "Hello." Examples of message bodies include: "Here is your file," "Your file is attached," "Your document is attached," and "Please have a look at the attached file." The sender's address is bogus--it is one of a number of addresses found in address books and other files in infected systems. Attachments always have a .pif extension. Netsky.D also changes Registry values and modifies files in systems that it infects.

New versions of MyTob, Mytob.EY, Mytob.FA, and Mytob.EZ, have recently surfaced. Although each these mutations of the original Mytob worm works somewhat differently, they also have much in common. They copy themselves into the system folder, modify the Registry so that they run every time the infected system boots, kill security-related processes, glean addresses from address books and files in systems they have infected, and set up a mail engine to send volumes of mail to addresses they have obtained. They also create a back door that can allow an attacker to take control of any system that they have infected.

If you want to avoid virus and worm infections, run anti-virus software, update it every day, and avoid opening attachments that you are not expecting, even if they appear to be from someone you know.