Virus Outbreak: More E-Mail Worms Are Set Loose

Maybe its the weirdness of having 29 days in February or some misplaced glee that spring is coming, but for whatever reason virus writers went on a rampage during the last week, unleashing more than a half-dozen new viruses.

Since Friday, five new versions of the Bagle virus have appeared, not to mention a couple of fresh variants of NetSky. None of the viruses appears to be particularly clever or innovative. However, several of them already have proved to be quite effective.

The most widespread of the new malware is NetSky.C, which has infected nearly 100,000 machines since its debut Feb. 25, according to Trend Micro Inc. NeySky.D also is on the loose and is a bit odd in that it attempts to deactivate two earlier worms, MyDoom.A and MyDoom.B. This variant was gaining ground Monday morning, anti-virus companies said.

By Monday afternoon, most of the major antivirus vendors had rated NetSky.D as a high risk, although it had only infected about 600 machines, according to Trend Micros statistics.

In addition to searching for the MyDoom worms, once this variant is executed on a new machine it plays a “hideous beeping noise” for several seconds that sounds something like the aliens attempts at music in the movie >i>Close Encounters of the Third Kind, onlookers reported.

But the virus family making the biggest splash this week by far is Bagle. Variants C, D, E, F and G all have appeared within the last few days, and like all of the other new viruses, are mass-mailers. The Bagle viruses typically include a ZIP file that is infected with the actual virus. The sending address is spoofed, and the subject lines and attachment names are random.

The two latest versions of Bagle, F and G, have protected the infected attachment with a password, preventing anti-virus scanners from examining it.

How bad has it gotten? Network Associates Inc.s AVERT (Antivirus and Vulnerability Emergency Response Team) group has had to go into its emergency process eight times in 2004 already, more often than in all of 2002 or 2003. In anti-virus research, the how and the what are always more easily answered than the why, and this latest wave of attacks is no exception, experts say.

“There are a lot of possibilities why its all happening. It could be that theres a competition between a couple of groups to see who can get the most press or the most notoriety,” said Vinny Gullotto, vice president and head of the AVERT group at NAI, based in Santa Clara, Calif. “Or they could just be taking advantage of all of the compromised machines that are already out there and scanning for them to drop these threats on.”

Gullotto said there seems to be fewer people actually opening the infected attachments that these viruses carry. But, because the viruses all send out multiple e-mails to the addresses on infected machines and spoof the sending address, there are more copies of the viruses in circulation than during past outbreaks.

“The only good news is that we havent seen a huge outbreak like we did with MyDoom.A,” he said.

Editors Note: This story was updated to include new information on the spread of the NetSky.D worm on Monday.