Ho-hum, just another LBNL virus wall report, right? Think again -- last month was the busiest ever. Without the virus wall, so many Windows machines would have become infected with worms and viruses that desktop computing at LBNL would have come to a virtual standstill. The LBNL virus wall dealt with a total of 100,579 infected messages and attachments, a huge increase from the number the previous month (3,321)!

The Sobig.F worm (with 97,228 instances detected and eradicated) was the main reason that the virus wall became so much busier. This worm is, like earlier versions, a mail-borne worm that targets Windows systems. It arrives as a mail attachment with a subject such as “Re: Details,” “Re: Approved,” “Re: Your application,” and “Thank you!” The attachment has names such as “application.zip,” “details.zip,” “document_9446.zip,” “movie0045.zip,” and “wicked_scr.zip."

If anyone opens the attachment and the antivirus software is not up to date, Sobig.F copies itself into an infected system and then adds an entry to the Registry so that it starts every time the infected system is booted. It then downloads several executables, one of which creates a spam relay server that spews messages with infected attachments to users whose names it finds in address books and other files of systems it has infected. Curiously, although programmed to become dormant on September 10, 2003, Sobig.F is still very alive and well.

For the first time in over a year, Klez was not most prevalent worm or virus. The Klez.H worm, another mail-borne worm that infects Windows systems, came in second with 1,028 instances, down somewhat from last month.

Variants of the Lovelorn (W32/Lovelorn@MM) worm were third most prevalent with 576 instances. Lovelorn infects Windows systems by sending itself as an attachment (which is either an .exe or .htm file). As with Sobig.F, if a user opens this attachment and antivirus software is not up to date, Lovelorn infects the system by copying itself and other files to be sent to other systems to the system installation folder. This worm then writes an entry to the Registry to ensure that it will restart every time the system boots and creates a mail engine to send copies of itself to other systems. The "From:" line of each message indicates that the message was sent from an address such as lovelorn@yahoo.com or an address in files within the system Lovelorn has infected. The subject line is "There're some Passwords here" or "Re:Get Password mail..." Finally, Lovelorn attempts to turn off antivirus software.

The Blaster worm and its many variants, discussed in last month's Computing and Communication Services News, continue to infect Internet systems by exploiting a vulnerability in the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) interface in Windows 2000 and XP systems. Three new RPC DCOM interface vulnerabilities have been recently discovered and a new worm is almost certainly imminent, so if you have not installed the latest patch, be sure to go to "Important Notice to Windows NT/2000/XP Users" at http://www.lbl.gov/ITSD/Security/ to download and install the appropriate patch for your particular system.

Another new mail-borne worm, the Swen (Win32.Swen.A) worm, has recently surfaced. It mails copies of itself in the form of a realistic-looking, yet bogus Microsoft security bulletin that announces a "September 2003 Cumulative Patch" for Internet Explorer, Outlook, and Outlook Express and contains an attachment that it claims is the patch. The attachment is in reality a copy of the Swen worm. Because the Windows users community has been so bombarded with worms and viruses, the temptation to open the attachment within this "security bulletin" is, unfortunately, great. IF YOU RECEIVE A COPY OF THIS ALLEGED MICROSOFT BULLETIN, DELETE IT IMMEDIATELY--DO NOT OPEN IT AND DO NOT SEND IT TO OTHERS! Remember, Microsoft never distributes patches via email.

Bogus Microsoft security bulletin