New Netsky and Bagle Worms Spreading

The plague of malware appears to be escalating worldwide. As a worm variant called Netsky.D bombards e-mail inboxes around the globe, an even newer version, Netsky.E, already is being analyzed, according to Joe Hartmann, director of North America antivirus research at Trend Micro (Nasdaq: TMIC).

"There has been a flood of viruses over the last two to three weeks and even today," Hartmann told the E-Commerce Times. "We seem to get new variants every other hour."

In addition to the new Netsky worms, five new variants of the Bagle worm (C, D, E, F and G) were found in the wild over the weekend, with the Bagle-C variant considered the most prevalent by Sophos, another antivirus firm.

Garden Variety

Hartmann described Netsky.D as a garden-variety e-mail virus that is relatively unsophisticated and lacks a highly malicious payload. Apparently, the virus will generate a beeping sound on affected computers between 6:00 a.m. and 9:00 a.m. Tuesday.

Netsky.D's primary action is to spread itself via e-mail and the Kazaa file-sharing program. The worm does not seem to include much social engineering in its makeup, yet people apparently are clicking on its attachments anyway. Hartmann said he finds this puzzling, though he has noticed that in the worm's new incarnation, the virus writer has made the subject lines and messages a little more interesting, perhaps taking cues from spammers.

In addition, Hartmann said, the author appears to have found a good distribution channel for this latest version of Netsky, targeting end users heavily because so many do not have up-to-date antivirus software.

Unlike end users, Hartmann added, enterprises are doing a relatively good job of stopping new worms at the gateway, where software like Trend Micro's strips malware from e-mail messages before allowing them to reach users. Corporate users are nevertheless able to report the worm's existence, he said.

Catching the Culprit

"I wouldn't be surprised if the writer [of all of the Netsky viruses] was the same person, perhaps a teenager, who is getting a kick out of all the media attention from outlets like CNN and online news magazines," Hartmann said. "The good thing for us is that any virus author who is writing so many variants so quickly will make mistakes, making it easier for the FBI, other government agencies and Trend Micro to catch [him or her]."

Hartmann declined to offer more information about aspects of the virus and suspected author. He said Trend Micro is working closely with the FBI and does not want to compromise the investigation.

A Virus by Any Other Name

Hartmann also noted that virus writers usually do not test their creations before unleashing them on the public. This may explain why viruses try to strip host computers of other viruses -- to ensure that older malware does not interfere with newer viruses' ability to execute their own payload. Netsky.D, for example, attempts to delete registry entries that execute such malware as MyDoom, Mimail and earlier variants of Netsky.

"By purporting to remove other viruses, the writer tries to ensure his virus is the only one on the machine and that it is not being interfered with by others," Hartmann said. "On the one side, it appears to be helping to clean the system, but in the end, a virus is still a virus. It is still malevolent. It still floods exchange and mail servers and crashes systems."

Bagle Malice Takes New Twist

In terms of the Bagle worm, Aberdeen Group vice president of security and privacy Jim Hurley told the E-Commerce Times that the worm's latter two variants -- which reports have said can fool antivirus gateways -- appear to seek to ensure that infected PCs, be they clients or servers, cannot be disinfected.

Hurley noted that when he opened his e-mail program Monday morning, he received 20 to 25 messages that had made it past his firm's firewall. While most of those e-mails were stripped of malware, a few were not.

He also noticed that the e-mails came from host sites and domain names with which he had no reason to be in correspondence.

"It's intriguing," Hurley said. "In the past, there has usually been some correlation between the recipient and the sender. This appears to be a new twist."