Beagle and NetSky Viruses Spreading
February, 2004, is set to be the worst month yet for computer
security. The infections caused by the MyDoom Viruses, DoomJuice
Worm, and new variants of the Beagle and NetSky worms are the
We're seeing a one-two-three-four punch from the computer hacking
community. We have had the fastest spreading Virus ever (MyDoom), followed by
two versions of yet another new virus (NetSky), and a new version of
an old one (Beagle). We're experiencing an astounding rate of attack.
These recent attacks, coupled with their resulting infections, have
caused well over $40 Billion in lost productivity world-wide in just
the last few weeks.
In order to make the latest versions of these viruses even more
potent, the criminal community has taken to leveraging their attack
angles. The MyDoom viruses created back doors on infected computers
which allowed SPAMmers from around the world to hijack unsuspecting
users' computers. They then used these new SPAM relays to 'seed' their
latest attacks into millions of e-mail boxes via SPAM.
The latest Worms, dubbed NetSky or Moodown, arrive in e-mail messages
that have randomly generated Subject lines such as "something for
you," "hello" or "fake." The worm itself is contained in a zip file,
and usually has an extension of .exe, .scr or .pif, but appears to
have a safe extension such as .doc, .txt or .rtf. It is also being
spread by file sharing networks, such as KaZaa.
NetSky.B demonstrates some of the complexity inherent in these new
attacks. This nasty worm first disables antivirus software installed
on your computer, then it starts scanning your machine to harvest
e-mail addresses and finally it copies itself to shared network
folders to infect other users on your network. Some worms and viruses
even have a built-in e-mail server. If the compromised computer has
Internet access, the worm will bypass standard corporate e-mail
security, and will send out infected e-mails to the harvested
What NetSky Does
When the worm is first installed, it pops up what appears to be an
error message: "Error; The file could not be opened!". If you've seen
this error, you may be infected.
Once the worm is running it will copy itself to shared folders
that it can find on your computer's hard disks and network drives. It
installs itself on those shares, and pretends to be a Microsoft Word
document, among other things. People are then enticed to open the
"document," and end up installing the worm.
The worm also copies itself to the Windows System directory and calls
itself SERVICES.EXE, a great name for hiding itself. It then installs
this executable into the machine's System Registry so that it will be
automatically re-installed when the machine is rebooted.
The worm then starts looking through all of your hard disks and
network drives looking for e-mail addresses and sends itself to all of
What to Do
- Don't open attachments in e-mail
- Turn off any file sharing software on your computer, such as Kazaa
- Download and run Stinger to remove the
virus. Optionally, use Bitdefender,