After a few relatively quiet months on the virus/worm front, administrators have been facing, over the past several weeks, a nearly continuous barrage of serious attacks from new and modified versions of earlier viruses and worms.

Details
Let’s take a look at what you need to know about the recent versions of Netsky, Bagle, and Mydoom that are besieging corporate mail servers.

Netsky
Netsky (Netsky.A) was a relatively innocuous mass-mailing worm that hit mail boxes beginning on February 16, 2004. Almost as quickly as antivirus companies came out with fixes, along came a more potent version, Netsky.B, which is spreading much more rapidly than the initial version and is already extremely widespread.

Netsky.B searches for e-mail addresses in files with the following extensions: .msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt and .eml. Upon finding addresses, it will spoof the origin address and e-mail itself to all the addresses it locates using its own SMTP engine. It may also be able to insert itself in “share” files and spread via instant messaging or file-sharing networks. Netsky.B doesn’t appear to avoid any specific e-mail domain names.

Netsky.A is similar to Netsky.B except that it has fewer variables for the subject line, spoofed address, or attachment names, which may be enough to explain why it doesn’t spread as rapidly. As you can probably imagine, both Netsky worms mainly pose a degradation of service threat to the infected system, and Netsky.B in particular seems to single out Kaspersky’s antivirus software for special attention by deleting references to it from the Registry.

Netsky.C has also emerged, and Symantec has upgraded the newest version of Netsky—Netsky.D—to a 4 rating (out of 5) based on its fast spread, and not its destructiveness. Symantec also offers free Netsky removal tools.

Bagle
Bagle.B (which is referred to as “Beagle.B” by Symantec) is also widespread, being yet another mass-mailing worm. Bagle.B opens a backdoor at port TCP 8866 on infected systems. Although Netsky.B is more widespread, Bagle.B is actually the more dangerous infection because of the backdoor.

Bagle will search for e-mail addresses and spoof the host’s address using its own SMTP engine when re-mailing itself to any addresses it finds in .wab, .txt, .htm, or .html files. It will not send infected e-mails to Hotmail, MSN, Microsoft, or AVP e-mail servers.

Mydoom
Meanwhile, the Mydoom worm (security report on 1/27/2004) keeps reappearing in different versions every few days. The latest release, Mydoom.F, is still rated as a significant threat and is spreading rapidly but not nearly as quickly as the other two. Mydoom.F is a mass-mailing worm that searches for e-mail addresses on the infected system, but there is a long list of e-mail host systems to which it will not transmit messages. Mydoom.F is mainly of interest because of the potential it poses to cause extensive damage to an infected system.

TrendMicro reports that the only difference between Mydoom.F and the initial Mydoom infection is that Mydoom.F doesn’t cease its attacks until February 2006. The original Mydoom doesn’t function on systems with a clock date after February 12, 2004.

McAfee reports that Mydoom.F also opens other ports between 3000 and 5000.

Applicability
All three of these worms and their variants affect all versions of Windows from Windows 95 but do not affect Linux/UNIX or Macintosh systems.

Risk level—High to extreme
Despite not being as widespread (yet) as Netsky, especially when you count both Netsky.A and Netsky.B together, Bagle.B is by far the most dangerous of this trio of worms because it not only opens a backdoor but also transmits a notice that it has done so.

According to the Symantec report, every 10,000 seconds Bagle causes an infected computer to send “HTTP GET requests” on Port 80 to these Web sites:

  • www.strato.de/1.php
  • www.strato.de/2.php
  • www.47df.de/wbboard/1.php
  • www.intern.games-ring.de/2.php

The message includes the IP address of the infected host along with the backdoor port number.

Mydoom.F opens a backdoor at TCP Port 1080 and attempts to attack both www.microsoft.com and www.riaa.com Web sites by flooding them with mass mailings intended to cause a DoS event.

Sophos reports that the distributed denial of service attack will take place between the 17th and 22nd of any month and that two-thirds of the time it will be directed against Microsoft, with the remaining attacks against the RIAA music industry site. McAfee reports that Mydoom.F also opens other ports between 3000 and 5000.

Netsky is rated as high risk because of the effort required to clean it out, but it does not pose as serious a threat to the system’s integrity as Bagle.B, which I would rate as extremely dangerous, or Mydoom.F, which I would rate as a bit less dangerous only because it is not spreading very rapidly. Mydoom.F may pose a much greater threat to usability than Netsky because it also searches for and deletes a significant proportion of .doc, .xls, and other files at random.

Final analysis
As always, good e-mail practices would protect users and systems alike from any of these infections but, because of the various subject lines and other textual information in these e-mails, it is difficult to warn users about them other than by banning all e-mail attachments (an action that some companies are actively considering).

A well-configured desktop firewall would block the backdoor opened by Bagle.B and the worm will, in any case, cease operating if the system date is February 26, 2004 or later.

Just how dangerous each of these worms is depends a lot on the contents of your system and whether you use any protective software. Netsky.A and B, which mainly pose a degradation of service threat, will not be much of a problem unless you have a large number of e-mail addresses stored on your system.

Since the last week of February, multiple new variants of all three of these worms have been released and have begun targeting each other in what has escalated into a form of electronic warfare, as this article from News.com explains.