Three relatively new worm strains -- Bobax, Kibuv and Lovgate-AB -- target Windows machines that have already been hit by Bagle or Sasser, lack the patches announced in MS04-011 or have other holes to wiggle through. At this point, there's no evidence they're wreaking the havoc of their predecessors.
Spammers created Bobax to generate an army of compromised machines that can be used for large-scale e-mailing, according to PivX Solutions, a threat mitigation company out of Newport Beach, Calif. It's generating heavy traffic on port 5000, using the uPnP service to identify Windows XP machines and infect those with the LSASS vulnerability.
Kibuv is a refined worm that creates an army of zombie machines that await additional instructions on port 420, PivX said. It tries to exploit seven different vulnerabilities to infect Windows machines, ranging from the Messenger Service buffer overflow, the uPnP overflow, LSASS and several back doors left open by Bagle and Sasser.
Abingdon, U.K.-based antivirus software maker Sophos anticipates the impact of Bobax will be limited because of the large number of corporations that have already applied the Microsoft patch and reconsidered their firewall protection since the Sasser outbreak. But it urges users not to be complacent.
Rob Shively, chief executive officer of PivX, joins a growing chorus of security experts who believe companies need to abandon the patch-as-you-go approach in favor of blocking technology that keeps these worms at bay while IT managers carefully review which fixes they need.
"These are quick-hitting worms," he said of Bobax, Kibuv and their successors. "They do their damage, then, before you know it a new variant has materialized. They infect your network faster than you can keep up with the new patches."
McAfee AVERT of Beaverton, Ore., has raised the risk assessment on Lovgate-AB to medium. Once activated, Lovgate-AB e-mails itself to addresses found on the victim's machine in the form of an attachment with a .zip archive or an .exe, .scr, .pif, .cmd or .bat file. The .zip file may have a .zip or .rar extension, and may also be dropped to the root of local and mapped drives. The virus also has the ability to perform a companion infection of .exe files, replacing the original file with a copy of itself and then renaming the original with a .zmx extension. The worm also terminates processes associated with various antivirus and security products.
Experts recommend updating antivirus signatures to protect against Lovgate-AB.