And Yet Still Another New Virus Worm.....

[Guest guest]

Net users hit with two new worms

Random e-mails infected with Netsky, Bagel hard to spotBy Bob Sullivan

Technology correspondent MSNBC

Updated: 6:21 p.m. ET Feb. 18, 2004

Internet users who have barely finished cleaning up the mess left in their

inboxes by the recent Mydoom virus outbreak are discovering there's plenty more

where that

came from. Antivirus companies have already rung the alarm bell twice this week,

with two new e-mail pests making the rounds at a fairly steady clip.

Ironically, the Netsky virus, discovered on Wednesday, is designed in part to

repair Mydoom-infected machines.

Netsky spread quickly on Wednesday morning, with most antivirus firms assigning

it a medium risk rating. It's a tricky bug for consumers to spot, as its subject

lines and included message are almost completely random. Among the subject lines

spotted so far by researchers: " I found this document about you, " " Is that

true, " " my hero, " and " You are a bad writer. " Users must click on the attached

message — which

also has a random name — to become infected.

The messages are simple, but tempting, said Joe Telafici, virus researcher at

Network Associates Inc.

" The trend lately is very vague messages, " he said. " Sometimes just two words

(or) 'Check this out.' "

Another trend this worm is following: It essentially removes both Mydoom and

MiMail viruses when it attacks a machine. The virus writer's motivation for

doing so is unclear, although Telafici said there's a message buried inside

Netsky's code that suggests the author fancies himself or herself as part of an

antivirus company.

By midday ET Wednesday, Network Associates was receiving between 40 and 50

submissions per hour from customers, a rate well below that of Mydoom, but

higher than most viruses during their initial stages. Symantec Corp. was

receiving about the same amount of submissions, according to Senior Director of

Engineering Alfred Huger.

" It seems to be still spreading steadily, " Huger said.

An initial version of Netsky was released on Monday, but it failed to spread.

Apparently, the author made adjustments to the worm, and the improved Netsky.B

started infecting computers Wednesday morning.

New Bagel has backdoor

The only good news about Netsky: It doesn't appear to do anything malicious to

infected machines, Huger said. " It's only goal is to spread. "

That's not true of another upgraded worm, Bagel.B, which began infecting

computers on Tuesday morning. Bagel.B, which is also rated a medium threat by

most antivirus companies, leaves a backdoor on infected machines. It sends an

electronic notification to Internet addresses in Germany whenever a machine is

infected.

Even though the spread of Bagel.B has leveled off considerably, Huger said the

backdoor component means it's a bigger threat than Netsky.

" The threat from the backdoor is significant, " he said. Like many worms of late,

researchers speculate the virus writer intends to use compromised machines to

launch spam campaigns.

The initial Bagel worm, discovered in mid-January, didn't spread quickly, but

Tuesday's version made its mark. Antivirus firm MessageLabs said it had trapped

95,000 copies of the worm by lunchtime Tuesday.

" We were getting 10,000 an hour at one point, " said MessageLabs CTO Mark Sumner.

" Then it started to level off. It peaked yesterday. "

And like Netsky, it is hard for consumers to spot because its subject lines and

message body are randomly generated

~ " We all take different paths in life, but no matter where we go, we take a

little of each other everywhere. " ~

~ " If I could reach up and hold a star for every time you've made me smile, the

entire evening sky would be in the palm of my hand. "