The Lab’s virus wall continued to find and eradicate worms and viruses—111,220, to be exact—last month. Worms and viruses that infect Windows systems once again dominated the landscape. 62,313 instances of the Netsky.P worm were destroyed, again making this worm the most prevalent. Netsky.P creates a mail engine that spews volumes of emails containing infected attachments. To deceive recipients of messages it sends into opening attachments, the sender addresses are copied from address books of the systems it infects. “Re: Test,” “Re: Error,” “Re: Secure delivery” and “Re: Notify” are some of the subjects in Netsky.P-infected messages. “Do you?” “Do not visit this illegal website!” "Thanks," "New message is available," "You cannot do that," "I hope you accept the result," and "Please confirm" are examples of the content of these messages. Netsky.P sometimes also adds a few lines to messages that it sends to falsely inform recipients that the message is virus-free. This worm modifies infected systems in numerous ways, including changing several Registry values and creating a mail engine.

The Netsky.D worm moved up from third to second place (where it was in July) with 10,614 instances detected and deleted. Netsky.D sets up a mail engine that sends messages with subjects such as “Re: Thanks,” “Re: Hi,” “Re: Your website,” “Re: Your Word file,” and “Hello.” Examples of message bodies include: "Here is your file," "Your file is attached," "Your document is attached," and "Please have a look at the attached file." The sender's address is always falsified, based on entries found in address books in systems that Netsky.D has infected. Every attachment has a .pif file extension. Netsky.D also modifies the Registry and makes other changes (such as installing a mail engine) in victim systems.

The Beagle.W (also called Bagle.Z) worm came in third place with 4,604 copies caught and eradicated. Beagle.W attempts to trick recipients of messages with infected attachments by using false senders' names. Beagle.W-generated messages contain subjects such as “I like you,” “Hello!” “I'm a sad girl,” “Re. Thank you!” and “Re. Yahoo!” Each message contains two parts. The first part begins with "Hi," "Hey," "Hello," or "Dear," and also includes two attachments—the first is a .jpeg picture of a young woman and the second is a copy of the worm code. Beagle.W halts processes that are running, changes the Registry, initiates connections to certain Web sites, installs a back door program that enables attackers to gain remote access to any victim system, and installs a mail engine that sends many messages containing copies of the worm code.

For information on the new Beagle.AQ worm, please see the corresponding story in this issue.