A barrage of Bagle worm variants, along with a new Netsky worm, kept up many a virus researcher busy this weekend.
Bagle-C appeared late on Friday and was followed by four other variants in quick succession. "It appeared the writer was monitoring the antivirus vendors and, when detection was added, he changed the worm," said Mikko Hypponen, manager of antivirus research for Finland-based F-Secure Corp.
Just this morning, Netsky-D started spreading quickly. In terms of social engineering, the new Netsky variant is similar to its brethren. It uses a single word or a short phrase for its subject lines and message bodies.
The worm attached to the messages is a program information file (with a .pif extension). This kind of file normally is used to help Windows run non-Windows programs. Most people probably don't realize that such files can contain executable code and that they are becoming increasingly popular with worm writers.
There aren't too many differences among Bagle-C, -D and -E. They used varying subject lines and message bodies. Bagle-F and -G, however, use a new trick; they travel as password-protected .zip files, with the password in the message body. "That technique can get around ISP or webmail scanning, as the scanner wouldn't be able to look inside the protected file," said Graham Cluley, senior technology consultant with U.K.-based Sophos PLC.
But such an approach has a major weakness, Cluley said. "It would require a little more user interaction, as they would need to enter the password to open the file," he said.
The Bagle variants all send copies of themselves using self-contained SMTP engines. They spoof the sender's address so it's hard to detect which machine actually sent the message. The worm finds e-mail addresses to send itself to by scanning infected systems.
The variants also use a variety of icons to lull recipients into thinking the attached worms are legitimate files. For example, Bagle-F appears to be a file folder. Bagle-E appears as a text file, and Bagle-C seems to be an Excel file. Savvy users will notice, however, that the file extensions don't reflect those file formats.
The Bagle variants also open up TCP port 2745 on infected machines. The open port tries to notify the worm writer that it's ready to accept instructions.
The multitude of worms that appeared over the weekend may leave some security pros dizzy -- but worm outbreaks don't have to have that effect, said Ian Hameroff, director of eTrust security products for Islandia, N.Y.-based Computer Associates International Inc. "People shouldn't treat malware in an episodic fashion."
For example, blocking executable file types such as .exe, .pif and .scr would block many viruses and worms, including Netsky-D. ".Pifs haven't been a relevant file extension since the Windows 3x days," he said.
Traditionally, companies have resisted blocking .zip files, because they do have a legitimate business purpose. Given the recent use of the file format by worm writers, it may be time for companies to strongly consider blocking .zips.
The Netsky variants "are further examples that worms are finding success in using .zip file extensions, and this file extension can no longer be known as a safe, acceptable file to allow through e-mail gateways," said Bruce Hughes, director of malicious code research at Herndon, Va.-based TruSecure Corp.