Beagle and NetSky Viruses Spreading

February, 2004, is set to be the worst month yet for computer security. The infections caused by the MyDoom Viruses, DoomJuice Worm, and new variants of the Beagle and NetSky worms are the culprits.

We're seeing a one-two-three-four punch from the computer hacking community. We have had the fastest spreading Virus ever (MyDoom), followed by two versions of yet another new virus (NetSky), and a new version of an old one (Beagle). We're experiencing an astounding rate of attack. These recent attacks, coupled with their resulting infections, have caused well over $40 Billion in lost productivity world-wide in just the last few weeks.

In order to make the latest versions of these viruses even more potent, the criminal community has taken to leveraging their attack angles. The MyDoom viruses created back doors on infected computers which allowed SPAMmers from around the world to hijack unsuspecting users' computers. They then used these new SPAM relays to 'seed' their latest attacks into millions of e-mail boxes via SPAM.

The latest Worms, dubbed NetSky or Moodown, arrive in e-mail messages that have randomly generated Subject lines such as "something for you," "hello" or "fake." The worm itself is contained in a zip file, and usually has an extension of .exe, .scr or .pif, but appears to have a safe extension such as .doc, .txt or .rtf. It is also being spread by file sharing networks, such as KaZaa.

NetSky.B demonstrates some of the complexity inherent in these new attacks. This nasty worm first disables antivirus software installed on your computer, then it starts scanning your machine to harvest e-mail addresses and finally it copies itself to shared network folders to infect other users on your network. Some worms and viruses even have a built-in e-mail server. If the compromised computer has Internet access, the worm will bypass standard corporate e-mail security, and will send out infected e-mails to the harvested addresses.

What NetSky Does

When the worm is first installed, it pops up what appears to be an error message: "Error; The file could not be opened!". If you've seen this error, you may be infected.

Once the worm is running it will copy itself to shared folders that it can find on your computer's hard disks and network drives. It installs itself on those shares, and pretends to be a Microsoft Word document, among other things. People are then enticed to open the "document," and end up installing the worm.

The worm also copies itself to the Windows System directory and calls itself SERVICES.EXE, a great name for hiding itself. It then installs this executable into the machine's System Registry so that it will be automatically re-installed when the machine is rebooted.

The worm then starts looking through all of your hard disks and network drives looking for e-mail addresses and sends itself to all of those addresses.

What to Do

• Don't open attachments in e-mail
• Turn off any file sharing software on your computer, such as Kazaa
• Download and run Stinger to remove the virus. Optionally, use Bitdefender, Symantec or Tend Micro's tool