The wave of recent infections from Netsky variant worms should send a powerful message to users, especially those on Windows machines. Ensure that your computer's anti-virus software is updated daily and avoid opening attachments that you are not expecting, even if they appear to be from someone you know. A Netsky removal tool, FixNetsky.exe, is available at http://www.lbl.gov/ITSD/Security, but this tool cannot undo some of the many changes that Netsky makes to systems it infects. Consequently, if your system becomes infected, you or your system administrator need to carefully find and reverse all the changes Netsky has made.

The Phabot worm, which started infecting Windows systems several weeks ago, is one of the most troublesome new worms to surface recently. Phabot is polymorphic (meaning that it can change itself), enabling it to infect systems and then spread to others without being detected by anti-virus software. It exploits vulnerabilities in a large number of services and programs, including the Distributed Component Object Model (DCOM), DCOM2, DameWare, the Windows Locator Service, WebDAV, the Windows Workstation Service, Windows shares, and others. Phabot also attempts to discover usernames and passwords for Internet Relay Chat (IRC) channels and FTP server access. If this worm exploits a vulnerability on a system, it starts an FTP server on that system and then transfers a copy of the worm executable (which is named srvhost.exe or svrhost.exe) to that system and modifies the system's Registry so that it will execute every time the system starts. If it infects a system already infected by MSBlast, Sobig.F or Welchia, it eradicates these worms. It can create an ident server and can even set up an HTTP, HTTP-S or socks proxy for the purpose of evading network security mechanisms. Phabot also may attempt to obtain copies of keys for Windows products and CDs, copies of Paypal cookies, and email messages. If it can connect to AOL, it attempts to send spam to other machines, too. Finally, it opens port 4387 on each infected system to allow for backdoor access to the system.

Infected systems form a cooperative bot network using both Gnutella (a peer-to-peer file sharing program) and IRC channels. See http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive-or.html#phabol for procedures for cleaning systems inflected by Phabot.

Last month the LBNL virus wall continued to be extremely busy finding and deleting a total of 111,315 worms and viruses before they could arrive at users' systems. Once again almost all of these worms and viruses target Windows systems. The Netsky family of worms was by far the most prevalent last month. Netsky.D (see http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive-netsky.html#netskyd) was found the most, with 43,176 copies detected and destroyed. This worm sends itself in the form of an attachment to a message with a subject such as Re: Hello, Re: Hi, Re: Thanks, Re: Your website, Re: Your Word file and a message body such as "Here is your file," "Your document is attached, "Please have a look at the attached file," and "Your file is attached." Although attachments always have a .pif extension, the actual name varies. Examples include your_details.pif, your_picture.pif, your_archive.pif, and mp3music.pif. The address of the sender is spoofed, based on entries Netsky.D finds in infected machines' address books. Users infect their systems by opening an attachment, which causes Netsky.D to immediately copy itself into the system folder as winlogon.exe. This worm then makes changes to the Registry of each infected system to ensure that it starts whenever the system boots. It also deletes certain Registry entries in an attempt to stop the MyDoom worm from running if MyDoom has already infected the system. Finally, Netsky.D creates a mail engine that spews infected messages to addresses found in address books.

The Netsky.P worm (see http://www.lbl.gov/ITSD/Security/vulnerabilities/virus-archive-netsky.html#netskyp) came in second with 14,065 instances detected and eradicated. Extremely similar to the many other Netsky variants, it also copies itself to the infected machine's system folder as “FVProtect.exe.” However, it also installs a copy of userconfig9x.dll in the same folder and then starts this executable. It searches for folders with certain names; if successful in finding one, it copies itself into the folder as a .exe file with a name such as "Adobe Premiere 10.exe," "ACDSee 10.exe," "Britney Spears full album.mp3.exe," "Cloning.doc.exe," and others (some of which are sexually explicit). Messages that Netsky.P sends have spoofed addresses from infected systems' address books as well as others such as support@symantec.com. The subject of such messages varies widely; examples include Re: Error, Re: Notify, Re: Secure delivery, and Re.: Test. Examples of the message content include "You cannot do that," "I hope you accept the result," "Please confirm!," "Your details," "Thanks," and "New message is available." To further deceive users, Netsky.P may also append an additional message, such as: