Information Technology Division (IT) Computing and Communications Services News
May, 2005

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
 

Monthly Virus Update: More than 38,000 Worms and Viruses Zapped

Last month the LBNL virus wall stopped a large number (38,849) of potential virus and worm and infections by identifying and destroying these malicious programs before they got to the intended victim systems. In contrast, the number in April was 43,001. For the 12th straight month, this virus wall detected and eradicated the Netsky.P worm more than any other worm or virus, with 26,258 copies found and deleted (a small decline from the 29,549 copies found and deleted in April). Netsky.P targets Windows systems; it mails copies of itself to addresses that it gleans from address books and other files in systems that it has infected. It includes interesting subject lines and messages to entice users into opening its attachments, thereby causing their systems to become infected.

The Netsky.Z worm came in second last month with 2,443 copies (up from the previous month's 1,482 copies) detected and destroyed. Netsky.Z is another mass-mailing worm that infects Windows systems, spoofing sender addresses in an attempt to entice recipients of messages it sends into opening attachments, thereby resulting in their systems becoming infected. This worm arrives as a message with a number of different subject lines, message bodies, and attachment names. Examples of subject lines include: “Hello,” “Hi,” “Important,” “Important bill!” “Important data!,” “Important details!” “Important document!” “Important informations!,” “Important notice!,” “Important textfile!,” “Important!” and “Information.” Attachments are .zip files with one of the following names: Bill.zip, Data.zip, Details.zip, Important.zip, Informations.zip, Notice.zip, Part-2.zip or Textfile.zip. Netsky.Z invades systems by copying itself into the system folder of each system it infects and then creating an entry in the Registry that makes this worm run every time the infected system starts. Netsky.Z also creates multiple copies of itself, creating zip files in the process, and installs a mail engine that it uses to send messages with infected attachments to addresses that it locates in address books and other files. Additionally, this worm also initiates denial of service attacks against several Web sites.

The Netsky.D worm was detected third most frequently with 2,184 instances found and destroyed (compared to 3,580 last month). Netsky.D, which like the other members of the Netsky family targets Windows systems, creates a mail engine that spews messages containing infected attachments with subjects such as "Re: Thanks," "Re: Hi," "Re: Your website," "Re: Your Word file," and "Hello." Examples of message bodies include: "Here is your file," "Your file is attached," "Your document is attached," and "Please have a look at the attached file." The sender's address is spoofed--it is always one of a number of addresses found in address books and other files in machines that this worm has infected. Attachments always have a .pif extension. Netsky.D also changes Registry values and modifies files in systems that it infects.

New versions of the Sober worm, particularly Sober.O and Sober.P, caused some trouble and confusion among Lab Windows users last month. These worms were apparently written solely for the purpose of sending spam. They create files in the system folder of each system into which they have been downloaded, change the Registry so that their code executes every time the infected system boots, check their network connection, gather email addresses from the infected systems and then try to send spam in German or in English to the email addresses that they have gathered. They also change security-related configuration settings and delete certain security-related files. Finally, they may also attempt to download a file from a number of domains.

To prevent worm and virus infections, run anti-virus software, which is available for free at the Lab’s download page. For tips on running and updating your anti-virus software, go here. And avoid opening attachments that you are not expecting, even if they appear to be from someone you know.