The Lab's virus wall keeps countering virus and worm infections; last month it detected and eradicated 55,224 viruses and worms, once again virtually all of which are programmed to infect Windows systems. The number in January was 75,420. For the 10th consecutive month, the Windows-targeting Netsky.P worm was most prevalent, with 32,157 copies found and deleted (down slightly from 40,406 in February). This worm, like the others in the Netsky family, mails copies of itself to addresses it finds in address books and other files in systems it has infected, generating interesting subject lines and message bodies to entice users into opening the infected attachments.

A newcomer, the Bagle.AZ worm, came in second with 4860 copies identified and destroyed. This worm inserts itself in message attachments from falsified addresses that it gleans from address books and other files that it discovers in machines that it has infected. Subjects include “Delivery service mail,” “Is delivered mail,” “You are made active,” “Registration is accepted.” “The message body is” “Before use read the help” or “Thanks for use of our software.” “The name of the attachment is” “guupd02,” “Jol03,” “siupd02,” “upd02,” “viupd02,” “wsd01,” or “zupd02.” Attachment extensions are .com, .cpl, .exe, or .scr. Beagle.AZ looks for and tries to stop many processes that may be running, including AUPDATE.EXE, AVENGINE.EXE, FIREWALL.EXE. MCSHIELD.EXE, NAVAPW32.EXE, UPDATE.EXE, and others. When it infects a system, it copies itself to the system folder with three names, sysformat.exe, sysformat.exeopen, and systformat.exeopenopen. It also searches the hard drive for folders that contain "shar" in their name, and then attempts to write itself to them, assigning a variety of file names if it is successful in so doing. Beagle.AZ also changes several Registry values. It collects addresses from a variety of files that may contain email addresses and then installs a mail engine that it uses to send a flood of messages with infected attachments, although it avoids sending messages to certain addresses. Additionally, Beagle.AZ attempts to download a file from a large number of domains; if successful in doing so, it saves it in the system folder.

The Netsky.D worm, still another worm that is programmed to infect Windows systems, placed third with 3,573 instances found and eradicated (in comparison to 5,049 last month). Netsky.D creates a mail engine that sends messages with subjects such as "Re: Thanks," "Re: Hi," "Re: Your website," "Re: Your Word file," and "Hello." Examples of message bodies include "Here is your file," "Your file is attached," "Your document is attached," and "Please have a look at the attached file." The sender's address is falsified, based on entries found in address books and other files in systems that this worm has infected. The extension for each attachment is always .pif. Netsky.D also modifies the Registry and makes other changes in systems that it infects

This month's "new worm of the month" is the Win32.Kelvir.A worm. Kelvir.A is notable in that it targets Windows systems that run the MSN Messenger service. Most users incorrectly assume that it is impossible to get a worm or virus infection via MSN, something that increases the potential threat that this worm poses. Kelvir.A arrives as a message to MSN contacts consisting of the following:

Message:
omg this is funny!
[Link to the jose.rivera4.home.att.net domain]

If an unsuspecting user clicks on the message, Kelvir.A downloads and executes a file from the comcast.net domain and another from the yoursite.com domain, infecting the system running MSN. Interestingly, the file from the latter domain is a mutation of the W32.Spybot worm. Either file is copied into the system folder as hotkeysvc.exe. Kelvir.A then attempts to modify many Registry values, including one that causes Kelvir.A to execute every time the infected system starts. Finally, it sends messages to other MSN contacts in an attempt to infect their systems.

By now you know the bottom line: Windows and Mac users should run anti-virus software and update it daily. Go to the Lab’s download page to obtain a free copy of this software for your Lab or personally-owned system. Never open an attachment that you are not expecting. Last month four Lab users opened attachments that were infected, thereby infecting their systems. Let's shoot for zero infections this month! For more cyber security tips go here.