ITSD Computing and Communications Services News
July, 2004

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: Over 140,000 Viruses Eradicated

Last month the LBNL virus wall identified and deleted 140,314 infected attachments in messages. Windows-targeting worms were once again most common. The Netsky.P worm was once more the most frequently found with 73,684 instances caught and eradicated. Netsky.P sends messages containing infected attachments from falsified addresses. Subjects used include Re: Secure delivery, Re: Test, Re: Error and Re: Notify. Many different message bodies, such as "Thanks," “New message is available," "You cannot do that," “Do you?” “Do not visit this illegal website!” "Please confirm," and "I hope you accept the result.” A second message that falsely advises recipients that no virus has been found in the message may also be sent. Netsky.P makes substantial modifications in systems that it infects and floods networks with many messages from the mail engine it creates.

The Netsky.D worm was the second most frequently found with 13,871 copies identified and eradicated. Very similar to Netsky.P, Netsky.D generates somewhat different subjects (such as Re: Hello, Re: Hi, Re: Thanks, Re: Your website, Re: Your Word file) and message bodies such as: "Your document is attached,” "Please have a look at the attached file," "Here is your file," and "Your file is attached". Netsky.D makes many changes in systems that it infects; it also sets up a mail engine to spew messages with infected attachments.

The Beagle.W (also called Bagle.Z) worm again was third with 10,731 copies detected and destroyed. A mass-mailing worm, Beagle.W attempts to trick those who receive the infected messages it sends by falsifying the sender's name and using enticing subjects such as: “I like you," "Hello!" "I'm a sad girl," "Re. Thank you!” and "Re. Yahoo!" Each message contains two parts, the first of which begins with "Hello," "Dear," "Hi," or "Hey" and also includes two attachments, one of which is a .JPEG picture of a young woman and the other is a copy of the worm code itself. Beagle.W halts processes that are running, changes the registry, initiates connections to certain Web sites, installs a back door program that enables attackers to gain remote access to any victim system, and installs a mail engine that spews messages containing copies of this worm.

Various new versions of the Lovgate worm (especially Lovgate.AC and Lovgate.AD) have recently attracted more than a normal amount of attention. Although each mutant works somewhat differently from the rest, Lovgate versions have infected many systems because they can infect systems in three different ways--sending mail with infected attachments, exploiting the Microsoft Windows DCOM RPC interface buffer overrun vulnerability described in Microsoft Security Bulletin 03-026, and connecting to unprotected (unpassworded) or weakly passworded shares. Infected messages have a variety of subjects and messages; attachments have file extensions of .bat, .exe, .pif, or .scr.

Lovgate not only makes numerous changes in each system it infects, but it also installs a Trojan program that allows back door access by attackers. If Lovgate infects your system, you should download and run Symantec's Lovgate Removal Tool.