The LBNL virus wall once again proved its value to the Lab by detecting and eradicating a total of 39,408 worms and viruses (up sharply from the previous month) before they could reach Lab systems. Windows-based worms and viruses once again were the most numerous by a wide margin.

So don't take chances with worms and viruses, especially if you are a Windows user. This means keeping your system's anti-virus software up to date and not opening attachments from anyone -- even if the sender appears to be someone you know -- if you are not expecting them. Worms and viruses routinely forge the sender's address.

The most interesting development related to worms and viruses last month was what appears to be a war between authors of the Netsky, Beagle and MiMail worms. Many mutations of these worms surfaced; often embedded in the code of each were often messages that contained profanity-filled messages that taunted the authors of other worms.

The Netsky.C worm was the most prevalent by far with 26,483 instances found and deleted. This worm infects Windows systems by creating and sending messages having attachments with a variety of names. Extensions for the attachments are named .com, .exe., .pif or .scr; about one-third of the time attachments have double extensions such as ".doc.com" or ".txt.exe.," however. Most of the attachments are zipped. The subject also varies; examples include (but are not limited to) "Question," "Delivery failed," "what’s up?," "trust me," and "hello." The text in the body of the message is also varied. Systems become infected if users who receive a message with an infected attachment open the attachment and the system’s anti-virus software is not updated. Once a system becomes infected, it immediately starts spewing infected mail to addresses Netsky.C has found in address books in the infected system.

Netsky.B came in a distant second with 2,570 instances detected and eradicated. Extremely similar to the Netsky.C worm, the messages it sends have subjects such as "stolen," "hi," "warning," and "unknown." The message content also varies widely; a few examples include "greetings," "see you," "here it is," "yes, really?," "that is bad," and "stuff about you?" Attachment names also vary widely and are zipped slightly more than half of the time.

The Sobig.F worm was supposed to stop infecting systems in September of last year, but it has continued to infect systems with improperly set clocks since then. Coming in third last month with 2,154 instances found and deleted, Sobig.F creates a mail engine that sends volumes of email containing a copy of its code which, if opened, causes the system on which it is opened to become infected.