AusCERT - AL-2004.06 -- Variants of mass-mailing worms Netsky and Bagle spreading rapidly

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2004.06 -- Variants of mass-mailing worms Netsky and Bagle spreading rapidly
Date: 02 March 2004

Click here for printable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2004.06 -- AUSCERT ALERT
     Variants of mass-mailing worms Netsky and Bagle spreading rapidly
                               02 March 2004

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:       Windows
Impact:                 Denial of Service              
                        Access Privileged Data
                        Reduced Security
Access Required:        Remote

PROBLEM:  

	AusCERT has received reports from European CERTs and antivirus
	vendors that new variants of the mass-mailing worms Netsky and
	Bagle are spreading rapidly overseas.  

	Bagle has at least five variants (W32/Bagle.c@MM through to
	W32/Bagle.h@MM) currently propagating[1].  According to reports
	received by AusCERT, Netsky has one particular variant
	(W32/Netsky.d@MM) that is spreading at a greater rate than any
	other worm in the wild at the time of the release of this alert
	[2].  Note that some antivirus vendors and filtering services may
	vary in naming of variants of both Netsky and Bagle.

PLATFORM:

	These mass-mailing worms affect Windows platforms.

IMPACT:   

	The worms could cause disruption to regular traffic on Australian
	email servers as well as allowing remote access to third parties
	via backdoors installed as part of the infection routines.  Below
	are specific details for Netsky and Bagle variants.


      W32/Netsky.d@MM -

	W32.Netsky.D@mm is a mass-mailing worm that is a variant of
	W32.Netsky.C@mm. The worm scans drives C through Z for email
	addresses and sends itself to those that are found.  The Subject,
	Body, and Attachment names vary. The attachment will have a .pif
	file extension[3].

	This worm propagates by sending out email with the following
	details[4]:

        SUBJECT: (any of the following)
        Re: Your website
        Re: Your product
        Re: Your letter
        Re: Your archive
        Re: Your text
        Re: Your bill
        Re: Your details
        Re: My details
        Re: Word file
        Re: Excel file
        Re: Details
        Re: Approved
        Re: Your software
        Re: Your music
        Re: Here
        Re: Re: Re: Your document
        Re: Hello
        Re: Hi
        Re: Re: Message
        Re: Your picture
        Re: Here is the document
        Re: Your document
        Re: Thanks!
        Re: Re: Thanks!
        Re: Re: Document
        Re: Document
        
        MESSAGE BODY: (any of the following)
        Your file is attached.
        Please read the attached file.
        Please have a look at the attached file.
        See the attached file for details.
        Here is the file.
        Your document is attached.
        
        ATTACHMENT: (any of the following)
        your_website.pif
        your_product.pif
        your_letter.pif
        your_archive.pif
        your_text.pif
        your_bill.pif
        your_details.pif
        document_word.pif
        document_excel.pif
        my_details.pif
        all_document.pif
        application.pif
        mp3music.pif
        yours.pif
        document_4351.pif
        your_file.pif
        message_details.pif
        your_picture.pif
        document_full.pif
        message_part2.pif
        document.pif
        your_document.pif

        
      W32/Bagle.c@MM through to W32/Bagle.h@MM - 

	The Bagle variants are all mass-mailing worms that open a backdoor
	on TCP port 2745. They use their own SMTP engine for email
	propagation. They can also send to the attacker the port on which
	the backdoor listens, as well as a randomized ID number[5].

	The recent Bagle variants (W32/Bagle.g@MM and W32/Bagle.h@MM) also
	target and attempt to spread across file-sharing networks, such
	as Kazaa and iMesh[6].

	W32/Bagle.c@MM appears to be having a greater impact that the other
	Bagle variants and has the following characteristics[7].

        Subject: Various, including:
        
          Accounts department 
          Ahtung! 
          Camila 
          Daily activity report 
          Flayers among us 
          Freedom for everyone 
          From Hair-cutter 
          From me 
          Greet the day 
          Hardware devices price-list 
          Hello my friend 
          Hi! 
          Jenny 
          Jessica 
          for the report 
          Maria 
          Melissa 
          Monthly incomings summary 
          New Price-list 
          Price 
          Price list 
          Pricelist 
          Price-list 
          Proclivity to servitude 
          Registration confirmation 
          The account 
          The employee 
          The summary 
          USA government abolishes the capital punishment 
          Weekly activity report 
          Well... 
          You are dismissed 
          You really love me? he he
        
        Text: 	No message body
        
        Attachment: Randomly named ZIP file, containing an executable disguised
        as an Excel file.

MITIGATION: 

	AusCERT advises members to disseminate and take action on this
	information to prevent any undesirable activity by this virus
	within their sites.  When possible, upgrade all anti-virus software
	to use the latest definition files as soon as they become
	available.

	Users should remain aware of the danger of opening unsolicited
	email attachments and review the advice in the article "Protecting
	your computer from malicious code"[8].

	For details on previous Netsky and Bagle variants see REFERENCES
	at [9] below.

REFERENCES:

[1] Five new Bagle variants in 48 hours
    http://www.f-secure.com/weblog/

[2] W32/Netsky.B-mm (MessageLabs)
    http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32%2FNetsky%2EB%2Dmm

[3] W32.Netsky.D@mm (Symantec)
    http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html

[4] WORM_NETSKY.D (Trend Micro)
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.D

[5] Bagle:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.c@mm.html    http://www3.ca.com/virusinfo/virus.aspx?ID=38426
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101059
    http://www.f-secure.com/v-descs/bagle_c.shtml
    http://www.sophos.com/virusinfo/analyses/w32baglec.html
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.C
    http://vil.nai.com/vil/content/v_101059.htm
    
[6] W32.Beagle.G@mm (Symantec)
    http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.g@mm.html

[7] Bagle.C (F-Secure)
    http://www.f-secure.com/v-descs/bagle_c.shtml 

[8] Protecting your computer from malicious code 
    http://www.auscert.org.au/3352

[9] AL-2004.05 -- Malicious Software Report - W32/Netsky.b
    http://www.auscert.org.au/3860

    AL-2004.01 -- Email worm W32.Beagle.A/Win32.Bagle.A 
    http://www.auscert.org.au/3764

[10]Netsky:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.netsky.d@mm.html
    http://www.sophos.com/virusinfo/analyses/w32netskyd.html
    http://www.f-secure.com/v-descs/netsky_d.shtml
    http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101064
    http://www3.ca.com/virusinfo/virus.aspx?ID=38453
    http://vil.nai.com/vil/content/v_101064.htm
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.D

- ---------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication. 
However, the decision to follow or act on information or advice contained in 
this security bulletin is the responsibility of each user or organisation, and 
should be considered in accordance with your organisation\'s site policies and 
procedures. AusCERT takes no responsibility for consequences which may arise 
from following or acting on information or advice contained in this security 
bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
                hours which are GMT+10:00 (AEST).  On call after hours
                for member emergencies only.
	
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQEPJnih9+71yA2DNAQH9CAQAhOdUNXX17tjMyHa6XJ/JDttqpXMmBHpW
qlzjcyKVzMS4n1Ksf0mBZ/GOMehoc+yI/zI0SkqVPaXcfP40p1KX/yG6YZMXY4Ab
gMqOlzTZ0BYpwxzul3BYPl4gJ4NUmGG2k/gpPL72yXBDO7RXBfhtIrm+DAiKFwd4
677KnNgKFFQ=
=/w2m
-----END PGP SIGNATURE-----