NEWS Two recent big hitters from the malware world have made an unwelcome return, with variants of the self-propagating Netsky and Bagle worms flooding users' inboxes worldwide.
An absolute glut of Bagle variants - C, D, E, F and G - all broke out over the weekend, while Netsky.D appeared this morning, immediately raising concerns about the extent of damage it could do as its spread appears to echo that of the devastating Sobig virus last year.
Antivirus vendors were very quick to upgrade the Netsky.D worm to their highest threat rating.
Graham Cluley, senior technology consultant for Sophos, said. "We are getting reports from companies that thousands of copies of [Netsky.D] have started clogging up their email systems - in a similar way to the Sobig virus last year."
Both worms are mass mailers and show few signs of reinventing the wheel in terms of displaying anything new in the writers' arsenal. The biggest complication is with the most recent Bagle.G, which carries the virus inside an encrypted .Zip file, meaning it is very likely it will evade detection.
While .exe files are easily blocked .Zip files are far likelier to get through.
Cluley said: "However good an ISP, web email account or antivirus gateway product may be at scanning email, it will be useless at detecting the worm inside the encrypted Zip file."
But perhaps the most interesting aspect of the outbreaks is the sheer number of Bagle variants.
David Emm, marketing manager at McAfee Avert, said: "It's not unusual to see lots of variants, but I can't remember when we have seen so many in such a short amount of time."
One theory, put forward by Mikko Hypponen, head of antivirus response at Finnish F-Secure, is that the barrage of evolving variants - each one slightly different to the previous iteration - is an attempt to stay one step ahead of the antivirus industry, keeping them on their toes and increasing the likelihood of one variant being afforded a sizeable window of opportunity to do some serious damage.
Munir Kotadia writes for ZDNet UK
Comments
There are 10 comments. Join the discussion
1. Jack
please update the anti-virus program in order to be virus free.
2. anonymous
Who are these people that open these zip files. I've had these files sent to me many times and it is so obvious that they are what they are. Some very basic rules - 1. Don't open any attachmens that come from a source you do not recognise - delete them immediately. 2. Make sure your virus scanner is up to date. 3. Don't publish your real e-mail address to any news groups or web sites. Anybody care at add anything.
3. Eddie Bleasdale
Why does Microsoft offer the feature where email attachements can be executed. This feature is not available in any other mainstream operating system. The result is that viruses are a problem that is unique to Microsoft.
The damage caused by viruses would simply cease if this feature was withdrawn. Where attachements need to be executed they can be run in the Java Virtual Machine - which protects the computer from malicious code.
Would Microsoft explain why they have provided this feature and do they have any plans to withdraw it?
4. Peter Dalheimer
Nice comments about the history of the virus (Netsky D) and the 'sequence of events'. Would it not be more helpful to advise on how to get rid of it when you've got it ? I received it at 9.09 h, I got my security update from my virus protection program at 13.05, I managed to delete one file infected but could only quarantene the other (..winlog.exe) since .exe files can not be deleted.
I would welcome information about software (I know this is available) to 'clean' this .exe file. Though |I am assured that a quarantened file does no harm to my PC I would still prefer to avoid these pop up windows from my antivirus people telling me that I've got it but it is quarantened and does not harm my PC. Any suggestions..... ?
5. anonymous
Peter,
It may be an idea to change your antivirus software.
6. GHMurphy
Try updating to the latest virus definitions for your protection/detection software then restart your computer in safe mode and run your virus detection program. In safe mode you can delete the infected files.
7. Galactic
Why is it I have just had some silly person open a virus...and they knew it was a virus..... then spread it through my company network...and to make matters worse.....The company anti-virus (Norton) can do nothing to cure the virus or to delete the bugger...... Well...I just chose to Quaranteen the 3 infected emails and then delete them!
8. anonymous
I've just received an email from The Co.uk - whoever they are - advising me that a lot of infected messages have been traced to me and advising me to open a "virus treatment" attachment. I'm assuming this is a ruse, but does anyone know differently?
PS: I haven't opened the attachment.
9. Frank smith
I have the same from ' support '
as I'm support, I know it wasnt me!
Its a very clever virus, and I'm waiting on the calls from clients
10. Solina
*hint hint* TXT files don't have EXE icons. Nor do they have PIF icons. I've received quite a few e-mail attachments (ZIP format) with filenames like "message.txt .PIF". The thing with PIF files is, there is no way to stop Windows from hiding their extension (unless you use an OS tweak).
But I must agree with the poster somewhere above, who commented on people opening ZIP files... I guess people are experts at Outlook/whatever but total n00bs when it comes to the WinZip interface.