ITSD Computing and Communications Services News
August, 2004

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
 

Monthly Virus Update: More than 150,000 Viruses Terminated

The LBNL virus wall discovered and eradicated 150,468 message attachments that contained worms and/or viruses last month. Not surprisingly, almost every worm and virus once again targeted Windows systems. The Netsky.P worm (72,389 instances) was again most often detected and eradicated. Using a mail engine that it creates, Netsky.P sends a huge number of messages with infected attachments from spoofed sender addresses. Subjects of these messages vary greatly, such as: “Re: Secure delivery,” “Re: Test, Re: Error,” and “Re: Notify.” Many different message bodies, such as "Thanks," “New message is available," "You cannot do that," “Do you?” “Do not visit this illegal website!” "Please confirm" and "I hope you accept the result" are also used. Netsky.P may also send a second message that deviously informs recipients that no virus has been detected in the message. Netsky.P also makes significant changes, including numerous registry changes, in systems that it infects.

Beagle.AH was the second most prevalent virus with 15,816 instances caught and destroyed. Another mass-mailing worm, Beagle.AH uses a mail engine that it sets up to spew messages with subjects such as: “Changes,” “Update,” “Encrypted Document,” “Protected Message,” “Re: Msg reply,” “Re: Hello” and “Re. Thank you!” If the attachment is a .zip file, the message body contains text such as "Archive password:," "Password," "Password:," "For security reasons attached file is password protected. The password is," and "In order to read the attach you have to use the following password." If the attachment is not a .zip file, the message will read "See attach," "Here is the attach," "Attach tells everything," "Check attached file," "Here is the file," "Your file is attached," and so on. The attachment name is “Details,” “Document,” “Info,” “Information,” “Message,” “MoreInfo,” “Readme,” “text_document,” or “Updates”; the extension for the attachment is .com, .cpl, .exe, .hta, .scr, .vbs or .zip. Each message contains a five-digit password or a copy of an image file. If Beagle.AH infects a system, it pops up a message that reads "Can't find a viewer associated with a file," changes many Registry values, and creates a backdoor program on TCP port 1234 to use the victim system as a mail relay server. If the system date is after January 25, 2005, however, Beagle.AH will exit from memory and delete the registry changes it has made. The Netsky.D worm dropped from the second most frequently found worm/virus last month to the third most frequently found this month. The virus wall identified and deleted 11,896 copies of Netsky.D last month. Another mass-mailing worm, Netsky.D sends messages with subjects such as: “Hello,” “Re: Hi,” “Re: Thanks,” “Re: Your website,” “Re: Your Word file”) and messages such as "Your document is attached, "Please have a look at the attached file," "Here is your file," and "Your file is attached." Each attachment has a .pif file extension. Netsky.D makes many changes (additions and deletions) to the Registry in systems that it infects; it also creates a mail engine to send volumes of messages with infected attachments to addresses it finds in various files in infected systems. To trick recipients of messages it sends into opening attachments, it uses addresses it finds as sender addresses.

The big recent newcomer on the scene was the Beagle.AG worm, which is another mass-mailing worm. Beagle.AG reads files in systems it infects and then uses any addresses it finds to target recipients of messages containing copies of itself that it sends. This worm also falsifies sender addresses, once again using addresses that it finds. The subject of its messages is always “Re_”. The message body varies; examples include "foto3 and MP3," "fotogalary,” "Screen and Music," "fotoinfo," "Lovely animals," "Predators," "The Snake," and "Don't open the attachment!" Attachments (which have a .com, .cpl, .exe, .scr, or .zip extension) are named “Cat,” “Cool_MP3,” “Dog,” “Doll,” “Fish,” “Garry,” “MP3,” “Music_MP3,” or “New_MP3_Player.” Each attachment is encrypted using a different password. If successful in infecting a system, Beagle.AG makes numerous registry changes and installs a backdoor program on TCP port 1080 to allow attackers to remotely access the infected system. Thanks to so many alert users as well as quick intervention on the part of the Lab's Computer Protection Program, Beagle.AG has infected only 21 Lab systems.

Although the names and mechanisms used by worms and viruses differ from month to month, the message to Lab users, particularly users of Windows systems, remains the same--never open any attachment that you are not expecting, even if it appears to be sent by someone you know, and update your system's anti-virus software every day. If your system becomes infected, call the Help Desk at x4357.