Latest Worm Infestation Puts Security Firms on Alert | eWeek

Latest Worm Infestation Puts Security Firms on Alert

Verfasst von
Larry Seltzer
Larry Seltzer
Mar 1, 2004
2 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

The rapid spreading of several variations on recent mass-mailing worms that were released to the Internet over the weekend has caused security companies to raise their alert status levels.

/zimages/1/28571.gifRead“Virus Outbreak: More E-Mail Worms Are Set Loose.”

Five variations of the Bagle worm (also known as Beagle) are among them. Bagle.C arrived Friday night, with D, E, F and G showing up later. Most of the functionality of the worms is similar to each other and to Bagle.A and Bagle.B, with some minor and one major advance.

Because of the quickness of spreading and severity of the attacks, Panda Software has raised their alert status to red. Symantec has categorized Netsky.D and Bagle.E as “Category 3—Moderate.” Netsky.B, discovered on Feb. 18, is still categorized as “Category 4—Severe.”

/zimages/1/28571.gif

According to security intelligence firm iDefense, 50 percent of the time that Bagle.F and Bagle.G spread themselves, either through a mass-mailing or by copying themselves to network and peer-to-peer sharing directories, they will send a password-protected ZIP file and include the password in the body of the message. This prevents gateway anti-virus scanners from opening the ZIP file and scanning it. An on-access file scanner on a users desktop would still detect the attack if it were up to date and the anti-virus vendor had protection for that specific worm.

The Bagle variants also open a back door on TCP port 2745 where it listens for commands. Reports from Internet intrusion detection systems, such as DShield.Org, indicate a sharp recent increase in port 2745 attacks.

The new Bagle variants also include friendly icons to trick the user into launching them, generally through network shares. Bagle.C will use either an Excel or Windows Calculator icon. Bagle.D will use an Excel icon. Bagle.E will use a Text file icon, and Bagle.F and Bagle.G will use a folder icon. Bagle.C and D have a cutoff date of March 14, 2004, while E, F and G have cutoff dates of March 25, 2004.

/zimages/1/28571.gif

Netsky.D also scans a variety of fields on the system for e-mail addresses. Unlike its predecessors, Netsky.B in particular, it creates multiple threads for sending e-mails, and therefore has the potential to spread much more quickly.

The infected attachment can have any of a variety of names, ending in .pif. The attachment is 17,424 bytes large.

Like many other recent worms, Netsky.D attempts to remove infections from other recent worms, specifically Mydoom.A and Mimail.T, perhaps to clear the way for it to work better. According to Panda Software, when the system date is March 2, 2004, between 6:00 a.m. and 8:59 a.m. the worm will produce random noises.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.