Date: 02 March 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2004.06 -- AUSCERT ALERT
Variants of mass-mailing worms Netsky and Bagle spreading rapidly
02 March 2004
===========================================================================
AusCERT Alert Summary
---------------------
Operating System: Windows
Impact: Denial of Service
Access Privileged Data
Reduced Security
Access Required: Remote
PROBLEM:
AusCERT has received reports from European CERTs and antivirus
vendors that new variants of the mass-mailing worms Netsky and
Bagle are spreading rapidly overseas.
Bagle has at least five variants (W32/Bagle.c@MM through to
W32/Bagle.h@MM) currently propagating[1]. According to reports
received by AusCERT, Netsky has one particular variant
(W32/Netsky.d@MM) that is spreading at a greater rate than any
other worm in the wild at the time of the release of this alert
[2]. Note that some antivirus vendors and filtering services may
vary in naming of variants of both Netsky and Bagle.
PLATFORM:
These mass-mailing worms affect Windows platforms.
IMPACT:
The worms could cause disruption to regular traffic on Australian
email servers as well as allowing remote access to third parties
via backdoors installed as part of the infection routines. Below
are specific details for Netsky and Bagle variants.
W32/Netsky.d@MM -
W32.Netsky.D@mm is a mass-mailing worm that is a variant of
W32.Netsky.C@mm. The worm scans drives C through Z for email
addresses and sends itself to those that are found. The Subject,
Body, and Attachment names vary. The attachment will have a .pif
file extension[3].
This worm propagates by sending out email with the following
details[4]:
SUBJECT: (any of the following)
Re: Your website
Re: Your product
Re: Your letter
Re: Your archive
Re: Your text
Re: Your bill
Re: Your details
Re: My details
Re: Word file
Re: Excel file
Re: Details
Re: Approved
Re: Your software
Re: Your music
Re: Here
Re: Re: Re: Your document
Re: Hello
Re: Hi
Re: Re: Message
Re: Your picture
Re: Here is the document
Re: Your document
Re: Thanks!
Re: Re: Thanks!
Re: Re: Document
Re: Document
MESSAGE BODY: (any of the following)
Your file is attached.
Please read the attached file.
Please have a look at the attached file.
See the attached file for details.
Here is the file.
Your document is attached.
ATTACHMENT: (any of the following)
your_website.pif
your_product.pif
your_letter.pif
your_archive.pif
your_text.pif
your_bill.pif
your_details.pif
document_word.pif
document_excel.pif
my_details.pif
all_document.pif
application.pif
mp3music.pif
yours.pif
document_4351.pif
your_file.pif
message_details.pif
your_picture.pif
document_full.pif
message_part2.pif
document.pif
your_document.pif
W32/Bagle.c@MM through to W32/Bagle.h@MM -
The Bagle variants are all mass-mailing worms that open a backdoor
on TCP port 2745. They use their own SMTP engine for email
propagation. They can also send to the attacker the port on which
the backdoor listens, as well as a randomized ID number[5].
The recent Bagle variants (W32/Bagle.g@MM and W32/Bagle.h@MM) also
target and attempt to spread across file-sharing networks, such
as Kazaa and iMesh[6].
W32/Bagle.c@MM appears to be having a greater impact that the other
Bagle variants and has the following characteristics[7].
Subject: Various, including:
Accounts department
Ahtung!
Camila
Daily activity report
Flayers among us
Freedom for everyone
From Hair-cutter
From me
Greet the day
Hardware devices price-list
Hello my friend
Hi!
Jenny
Jessica
for the report
Maria
Melissa
Monthly incomings summary
New Price-list
Price
Price list
Pricelist
Price-list
Proclivity to servitude
Registration confirmation
The account
The employee
The summary
USA government abolishes the capital punishment
Weekly activity report
Well...
You are dismissed
You really love me? he he
Text: No message body
Attachment: Randomly named ZIP file, containing an executable disguised
as an Excel file.
MITIGATION:
AusCERT advises members to disseminate and take action on this
information to prevent any undesirable activity by this virus
within their sites. When possible, upgrade all anti-virus software
to use the latest definition files as soon as they become
available.
Users should remain aware of the danger of opening unsolicited
email attachments and review the advice in the article "Protecting
your computer from malicious code"[8].
For details on previous Netsky and Bagle variants see REFERENCES
at [9] below.
REFERENCES:
[1] Five new Bagle variants in 48 hours
http://www.f-secure.com/weblog/
[2] W32/Netsky.B-mm (MessageLabs)
http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32%2FNetsky%2EB%2Dmm
[3] W32.Netsky.D@mm (Symantec)
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html
[4] WORM_NETSKY.D (Trend Micro)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.D
[5] Bagle:
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.c@mm.html http://www3.ca.com/virusinfo/virus.aspx?ID=38426
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101059
http://www.f-secure.com/v-descs/bagle_c.shtml
http://www.sophos.com/virusinfo/analyses/w32baglec.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.C
http://vil.nai.com/vil/content/v_101059.htm
[6] W32.Beagle.G@mm (Symantec)
http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.g@mm.html
[7] Bagle.C (F-Secure)
http://www.f-secure.com/v-descs/bagle_c.shtml
[8] Protecting your computer from malicious code
http://www.auscert.org.au/3352
[9] AL-2004.05 -- Malicious Software Report - W32/Netsky.b
http://www.auscert.org.au/3860
AL-2004.01 -- Email worm W32.Beagle.A/Win32.Bagle.A
http://www.auscert.org.au/3764
[10]Netsky:
http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html
http://www.sophos.com/virusinfo/analyses/w32netskyd.html
http://www.f-secure.com/v-descs/netsky_d.shtml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101064
http://www3.ca.com/virusinfo/virus.aspx?ID=38453
http://vil.nai.com/vil/content/v_101064.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.D
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQEPJnih9+71yA2DNAQH9CAQAhOdUNXX17tjMyHa6XJ/JDttqpXMmBHpW
qlzjcyKVzMS4n1Ksf0mBZ/GOMehoc+yI/zI0SkqVPaXcfP40p1KX/yG6YZMXY4Ab
gMqOlzTZ0BYpwxzul3BYPl4gJ4NUmGG2k/gpPL72yXBDO7RXBfhtIrm+DAiKFwd4
677KnNgKFFQ=
=/w2m
-----END PGP SIGNATURE-----
|