Heeding the wakeup call |
 |
By Edward Hurley, News Writer
02 Mar 2004 | SearchSecurity.com |
|
|
The last few days have seen an unusually high number of worm variants appear, but experts are warning users to keep the threat in perspective.
"We don't want it to sound like the world is coming to an end," said Vincent Gullotto, vice president of McAfee AVERT. "It's just busy out there."
|
| For more information |
Click here to learn more about the Bagle and Netsky variants.
For general worm and virus information, see these Best Web Links. |
|
|
|
|
Since Friday, seven variants of the Bagle worm have surfaced. Two Netsky worms have been in the wild for the last four days. None of the worms have proved particularly dangerous, though. They probably wouldn't have received much attention if they weren't variants of existing, once-newsworthy worms.
At first, the creator of the Bagle variants was the mouse to the antivirus industry's cat. Over the weekend, new variants surfaced as protection for variants were rolled out. In the midst of the Bagle barrage Monday, Netsky-D appeared. Another variant, Netsky-E, surfaced late Monday.
Netsky-D seems to be the one worm in the mix that has gained major traction, at least in Europe. Netsky-D represented more than 70% of the submissions received Tuesday morning by Finnish antivirus software vendor F-Secure Corp. The company has classified Netsky-D as a level 1 threat, the company's highest threat rating.
Other antivirus companies consider Netsky-D a serious threat as well. Symantec has it ranked as a category 4, or severe, threat. Both Trend Micro Inc. and McAfee AVERT consider the worm a medium threat.
Netsky-D uses a variety of subject lines and message bodies to entice recipients into opening the attachment, which contains the worm. After infecting a system, Netsky-D searches the machine for e-mail addresses in a variety of file types, including cached Web pages and text documents. It also looks in the Windows address book. The worm then blasts out copies of itself to those addresses with forged From fields.
Luckily, Netsky-D has an Achilles' heel. The worm always travels as a .pif file. Companies that follow safe computing procedures strip or block files with that extension at the gateway.
It's unclear why so many worms have been released in succession. Some observers speculate that it's a backlash because of the arrest of Belgian virus writer Gigabyte last month. Others think the deluge is the result of a contest of sorts among worm writers.
Ian Hameroff, senior security strategist with Islandia, N.Y.-based Computer Associates International Inc., can't say why the variants are being created, but he said that the glut "points out the ease [with] which worm writers can create new variants."
He added: "You can't just look at each worm as a single problem, but you have to consider the general threat posed by all of them." For example, some users may have been lulled into a false sense of security if they updated their signature files once on Monday. In fact, constant updates are needed to keep up with all the new variants.
"Keeping secure is not just about antivirus signatures," he said. "It also takes being wary of any e-mail with an attachment."
|
|
|
|
