ITSD Computing and Communications Services News
October, 2004

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
 

Monthly Virus Update: More than 110,000 Viruses Eradicated

The Lab’s virus wall statistics for last month closely mirrored the previous month. The virus wall identified and destroyed a total of 106,157 worms and viruses last month, almost exactly the same as in September. The Netsky.P worm led all others once again with 59,758 copies found and eradicated. Netsky.D again came in second with 9,294 instances, and was followed again by the Beagle.W (also called Bagle.Z) worm with 5,137 instances.

All three are mass-mailing worms that arrive in messages with curiosity-piquing subjects and attachments that if opened infect Windows systems in which anti-virus software is not updated. The fact that not a single Lab user's system was infected by any of these worms attests to the effectiveness of the virus wall. Additionally, Lab users have also been updating anti-virus software every day and are also learning that opening attachments that they are not expecting is dangerous, factors that have helped considerably in the Lab’s war against viruses and worms.

The MyDoom.Y worm was the most conspicuous newcomer last month. Another Windows mass-mailing worm, MyDoom.Y arrives as a message with a subject of "album" or "You've got a Virtual Postcard." To trick recipients, the sender's address is falsified ("spoofed"), based on addresses this worm finds in each system it infects. The message content is one of the following:

"my pics... *sexy*. Heheh!;),"

"You have just received a new postcard from Flashecard.com! From: %sender%"

"To pick up your postcard follow this web address http://www.flashecard.com.viewcard.main.ecard.php?2342 or click the attached link."

"We hope you enjoy your postcard, and if you do, please take a moment to send a few yourself!"

"(Your message will be available for 30 days.)"

"Please visit our site for more information. http:/ /www.flashecard.com"

The attachment is named "photos_album.zip," "photos_album.scr," "www.flashecard.com_postcard=viewcard_download.html.scr," or "www.flashecard.com_postcard=viewcard_download.html.zip."

Once MyDoom.Y infects a system it kills certain processes, opens a certain Web site using the Internet Explorer, finds email addresses, and creates a mail engine that spews messages with infected attachments to these addresses. MyDoom.Y does not damage systems, per se, although this worm makes changes in systems it infects.