Antivirus vendors are rushing to update signature files to detect new Lovegate, Netsky and Sober worm variants. All can be stopped at the gateway by stripping executable files.
Lovegate-V uses .exe, .scr and .pif extensions, as well as double extensions, according to Bruce Hughes, director of malicious code research at TruSecure's ICSA Labs and moderator of the WildList. "Lovegate-V attempts to access, as administrator, all machines on the local network," he said. It installs a backdoor, uses a random port and steals data via FTP and SMTP. Lovegate is also a share crawler and will spread over a LAN.
Netsky-S carries executable .zip, .pif, .bat, .cmd and .scr files and installs a backdoor.
Sober-F travels as either a .pif or a .zip file and sends its message in either German or English depending on the domain of the e-mail address it's sent to. It doesn't install a backdoor, but was gaining the most traction Sunday.
The worm is ranked as a medium-level threat for corporate users. Sober-F adds files to the system folder and creates registry keys to execute on system boot. According to officials at Santa Clara, Calif.-based Network Associates, "This worm is intended to spread by sending itself to e-mail addresses found on the local system. The worm does not use any exploits in order to execute the attachment automatically. The worm is difficult to find and hides from many antivirus scanners. "
Experts recommend filtering executable attachments -- .exe, .pif, .scr, .com, .bat, .vbs, .lnk, and .hta, among them -- at the gateway and disabling HTML in e-mail either by filtering at the e-mail perimeter or at the e-mail client.
"I suspect the virus writers are launching these things from zombie computers or bot farms to get the 'instant spread,'" said Roger Thompson, vice president of product development at PestPatrol.