MyDoom, Bagle, Netsky

MyDoom, Bagle, Netsky:

Herd of Worms Fools the Unwary Severity: Medium

3 March, 2004

Virus Alert Update:

Since last week, one dozen worm variants have stormed onto the Internet as the authors of MyDoom, Bagle, and Netsky compete for victim computers. And we mean "compete" literally. Recent variants (Bagle.J, MyDoom.G, and Netsky.C) contain trash talk in their code, with the authors of Bagle and MyDoom apparently ganging up on Netsky -- a worm that removes MyDoom from victim machines.

What does all this mean to you? Here are concise answers:

You do not need to do anything new if you followed our February alerts on MyDoom.F, Bagle.B, and Netsky.B. All the variants use the same file types as their earlier versions. The ports they attack are still high-number ports that WatchGuard products block by default. If any worm uses a new attack vector, we will alert you; otherwise, we'll let this avalanche of variants pass without comment (you're probably getting enough email as it is!).

Warn your users about new, clever "social engineering" in the worms. Practice makes perfect, and these worm authors are getting lots of practice inventing sly new angles to tempt users to execute infected email attachments. Two to watch out for:

1. Some worm variants arrive as a password-protected .ZIP attachment, with the password specified in the body text. Anti-virus engines can't see into password-protected .ZIP files, so these are likely to get past your anti-virus scanner. Many users assume a virus author wouldn't password-protect the virus and then expect you to enter the password, extract the file, and double-click it -- so the users do just that, and infect themselves. Warn your users about this technique.
   
2. Bagle.J is smart enough to learn the name of the domain it has arrived in, then customize its text to resemble a message from someone within your network. For example, one version reads, "Dear user of [your domain].com gateway e-mail server, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. For more information see the attached file." The body text can be signed by "administrator@[your domain].com." Gullible users will believe this is an email from you, and obediently open the attachment. (Read all the details here.) Warn your users about this technique so they can tell forged messages from your authentic emails.

Keep your anti-virus definitions up to date. But you didn't need us to tell you that, did you?

Some of the variants contain expiration dates later in March, when they'll stop infecting and, in some cases, delete the registry keys they planted on victim machines. So we're probably near the peak of the problem now.

As we wrote this, F-Secure announced the discovery of Bagle.K. Same ol' same old: it spreads using the same file types as ever, provides another example of an attachment that is a password-protected .ZIP file, and contains vulgar taunts to the author of Netsky. Leave your defenses in place, hunker down, and eventually we'll look back on this period and bore new employees with stories of how we survived. "You young'uns got it easy now! Why, back in my day, they put out worms by the dozen! In the winter! But did we cave in? No, you whippersnappers ..."

References:

F-Secure descriptions:

• Bagle.J
• Bagle.K
• MyDoom.G (MyDoom.H is identical in every significant aspect)
• Netsky.F

LiveSecurity descriptions: (includes firewall settings and countermeasures)

• MyDoom.F
• Bagle.B
• Netsky.B

Write-ups of "virus war" insults found within worm code.

• Credible version: Virus writers trade insults
• Shrill version: Cyber war grows

This alert was researched and written by Scott Pinzon.