The LBNL virus wall continued to provide an effective first line of defense against worms and viruses by finding and removing 103,146 infected attachments in messages last month. Worms targeting Windows systems prevailed again. The Netsky.P worm, one of the most prolific of all worms ever to spread across the Internet, took the lead with 69,015 instances caught and eradicated. Netsky.P sends messages with infected attachments from spoofed addresses, using message subjects such as: “Re: Secure delivery,” “Re: Test,” “Re: Error” and “Re: Notify.” The content of each message varies widely. Examples include: “Thanks,” “New message is available,” “You cannot do that,” “Do you?” “Do not visit this illegal website!” “Please confirm” and “I hope you accept the result.” Recent variations of Netsky.P use phrases have been related to the latest Harry Potter movie. This worm may also include a second message saying that no virus has been found in the message. After Netsky.P makes numerous changes in infected systems (including registry changes that cause this worm to automatically start every time each system is booted), it creates a mail engine that spews messages to addresses it has found in these systems' address books.

The Netsky.D worm came in second with 19,182 copies detected and destroyed. This worm is very similar to Netsky.P. It differs mainly in the subject (such as “Hello,” “Re: Hi,” “Re: Thanks,” “Re: Your website,” “Re: Your Word file”) and message content (such as "Your document is attached,” "Please have a look at the attached file," "Here is your file," and "Your file is attached"). Like Netsky.P, Netsky.D makes numerous changes in infected systems and sets up a mail server to send copies of itself in message attachments.

The Beagle.W (also called Bagle.Z) worm came in third with 9,867 instances caught and eradicated. It arrives in messages from bogus addresses consisting of specific user names followed by the domain of the recipient's email address. Among the subjects in Beagle.W-infected messages are "Incoming message," “I like you," "Hello!" "I'm a sad girl," "Re. Thank you!” and "Re. Yahoo!" The text of every message contains two parts, the first of which always starts with "Hello," "Dear," "Hi," or "Hey" and contains two attachments, the first of which is a JPEG image of a young woman and the second of which is a copy of the worm code with an extension of COM, CPL, EXE, HTA, SCR, or VBS. Beagle.W kills numerous processes, makes registry changes, makes connections to specified Web sites, sets up back door access to each infected system, and creates a mail engine that sends a large number of messages with infected attachments.

Numerous versions of the Korgo worm have recently drawn considerable attention. Although each version works somewhat differently from the others, commonalities between different versions exist. For example, each version attempts to exploit a buffer overflow condition in Windows Local Security Authority System Services (lsass.exe), as described in Microsoft Security Bulletin 04-011. All versions also copy themselves into each system they infect, delete files and registry values, try to connect to certain IRC chat servers, and set up back doors. Perhaps most troubling, however, is the fact that Korgo also attempts to install a keystroke capturing program on infected machines, something that could result in invasion of privacy and possibly even theft of identity.

To prevent virus infections, the bottom line is that you need to: (1) update your system's anti-virus definitions every day and (2) refrain from opening attachments that you are not expecting, even if they appear to be from someone you know.