New Worms Mean March Madness for IT Pros

The latest “Bagle” worm is something corporate network users definitely didn’t order this morning, but it’s the return of the Netsky worm that has many security experts worried.

First appearing Friday afternoon, the five Bagle worms — Bagle.A, Bagle.B, Bagle.C, Bagle.D, Bagle.E and Bagle.F — wriggle into e-mail in-boxes via a password-protected .zip file, which many anti-virus software applications can’t access.

“This is just one more method of potentially affecting computers that might not otherwise get infected,” Ken Dunham, director of malicious code at security firm iDEFENSE, told internetnews.com. “If you have a large network automatically blocking anything that’s found to be infected, but allow for .zip files to go through, which is most of corporate America, then this type of worm will get past those scanners. It’ll get to the desktop user.”

By Sunday, another virus writer introduced a variant of Netsky — Netsky.D — that, like its predecessors, deletes several registry keys and inserts malicious code. This time, the Netsky.D script executes a file, winlogon.exe, which will play a .wav file from 6 a.m to 8:59 a.m. Tuesday, security firm F-Secure’s Web site states.

Dunham said the Netsky.D is making much more headway, at a faster rate, than its previous variants. But like those iterations, Netsky is designed to dupe people into opening the attachment with file titles such as “mp3music,” “your_pictures,” “document” and “your_bill.”

Netsky made a name for itself last year, when several strains of the Internet worm spread like wildfire. In two days, Netsky.C became the eighth-most damaging malware in Internet history, spreading to 190 countries.

The clever thing about the Netsky worm, Dunham said, like all the most damaging worms, is the fact they all use executable names that resemble common Windows processes. So even if you see it running in your Task Manager, you’ll likely think its a legitimate process.

“It’s designed to give people a sense of comfort when they come across it,” Dunham said.

The Bagle worms, on the other hand, use a new method for getting exploits into the workplace. Using a password-protected .zip file which isn’t detected by Norton Antivirus or McAfee, the script copies and forwards itself to everyone in the end user’s e-mail list, copies itself into shared folders (commonly used by P2P and IM file sharers) and opens up port 2745 for remote commands by the virus writer, according to iDEFENSE.

The worm uses file attachments like “readme.exe,” “go54o.exe” and “ilru54n4.exeopen.”

A side note to the Bagle and Netsky.D worms is the fact they appear to be written by competing script writers. Dunham said the Netsky.D worm — in addition to the havoc it creates for its own purposes — also goes into the registry keys to delete the “au.exe” script, used in two variants of the Bagle worm.

“So here’s a guy actively coding on the weekend saying, ‘I don’t want any Bagle users taking advantage of my computer,’ so they’re all fighting over who can have control over my machine,” Dunham said.

Asked if these latest worms could be motivated by a turf war, Dunham said it “certainly appears that way.”