The LBNL virus wall detected and deleted more worms and viruses (a total of 178,023) last month than the month before. Variants of the Netsky worm once again led all others.

Netsky.P was most prevalent -- the virus wall found and eradicated 70,644 copies of this worm. Netsky.P infects Windows systems, sending infected messages from spoofed addresses obtained from infected systems' address books, as well as others such as support@symantec.com. The subject of these messages varies widely; examples include Re: Error, Re: Notify, Re: Secure delivery, and Re.: Test. Examples of the message content include “Do you?,” “Do not visit this illegal websites!,” "You cannot do that," "I hope you accept the result," "Please confirm!," "Your details," "Thanks," and "New message is available."

To further trick users, Netsky.P may also append an additional message that indicates that no virus has been found. Once it has infected a system it makes numerous Registry changes to ensure that it will start every time the victim system boots. This worm also searches for folders with certain character strings, such as icq, ftp htdocs http, morpheus. mule, my shared folder, kazaa, http, and lime. If successful in finding a certain string, it copies itself into the folder as an .exe file with a name such as "Adobe Premiere 10.exe," "ACDSee 10.exe," "Britney Spears full album.mp3.exe," ?"Britney sex xxx.jpg.exe," "Cloning.doc.exe," and others (some of which are sexually explicit). Netsky.P searches every drive on each infected system for files (such as those with .doc, .sht, .uin and .vbs extensions) that may contain email addresses and records every address it finds. Next it creates a Simple Mail Transfer Protocol (SMTP) engine, from which it spews messages containing infected attachments to addresses it has found. Attachments are files with .txt or .doc extensions preceded by another extension (.exe, .pif, .scr, or .zip). Systems become infected if users who receive a message with an infected attachment open the attachment and the system’s anti-virus software is not updated.

The Netsky.D worm, like all members of the Netsky family, also targets Windows systems. The virus wall caught and deleted 38,341 copies of this worm, which arrives as an attachment in email messages with a variable subject such as Re: Hello, Re: Hi, Re: Thanks, Re: Your website, Re: Your Word file and a message body such as "Here is your file," "Your document is attached, "Please have a look at the attached file," and "Your file is attached." Although attachments have a .pif extension, the name of each attachment differs widely. Examples include your_details.pif, your_picture.pif, your_archive.pif, and mp3music.pif. The address of the sender is spoofed, based on entries Netsky.D finds in infected systems' address books. Netsky.D makes numerous Registry changes; afterwards it searches every hard drive and CD-ROM drive for files (such as files with .rtf, .wab, .oft and .msg extensions) that may contain email addresses, gleaning every address it finds. Next it spawns an SMTP engine which it uses to send many messages containing infected attachments to addresses it has found. However, it refrains from sending messages to any addresses that contain certain strings such as abuse, asperksy, ymantec, antivi, icrosoft, and skynet in them.

Netsky.Y, of which 13,011 copies were detected and destroyed, is yet another mass-mailing worm that targets Windows systems and spoofs sender addresses to fool recipients of messages it sends. It arrives as what appears to be a mail delivery failure notice with a subject of: Subject: Delivery failure notice (ID-<random number>) and a message body that starts with --- Mail Part Delivered ---. The attachment is www.<random domain name>.<random username>.session-<random number>.com. It also makes Registry changes to ensure that this worm starts every time the infected system starts. It also activates TCP port 82 to allow attackers to send and then remotely run an executable. Between April 28 and 30, 2004, Netsky.Y launched a denial of service attack against three Web sites (www.medinfo.ufl.edu, www.educa.ch, and www.nibis.de). After copying email addresses in files in the infected system, it creates an SMTP engine and mails copies of itself to addresses it has found as well as to hukanmikloiuo@yahoo.com. The worm also tries to use the infected system’s default DNS server to get the IP address of this machine’s email server; if unsuccessful in finding the DNS server, it tries to use other predesignated DNS servers.

The Sasser worm is one of the most notable new worms to surface. It’s another Windows-targeting worm, but unlike the Netsky, MyDoom and Beagle variants, Sasser spreads from system to system without spewing infected messages to users. It exploits a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS) of Windows XP and 2000 systems that allows remote attackers to execute rogue code on the vulnerable system with elevated privileges. It spreads by scanning randomly selected IP addresses for vulnerable systems and then exploiting this vulnerability by connecting via TCP port 445. The worm ties up these systems so that programs, including Sasser removal tools, cannot run properly. It makes changes in the Registry of each infected system to ensure that it will run every time the system boots and it also stops attempts to shut down or restart the system. Sasser creates an FTP server on TCP port 5554 for back door entry by this worm's author and a remote shell on TCP port 9996 for the same purpose.

Symantec and other vendors have created free removal tools that will eradicate these and other worms, but prevention is by far the best cure. Update your system's anti-virus software every day, install the latest patches, and be sure to avoid opening any attachment that you are not expecting, even if it appears to come from someone you know.