With Bagel, Netsky, March comes in like a worm

Conventional wisdom claims March comes in like a lion and goes out like a lamb. But with new versions of the Bagle e-mail worm and a virulent new form of Netsky virus, March's arrival is looking more wormy than leonine.

As of Monday, five new versions of Bagle appeared over the weekend as well as a new version of Netsky that is spreading rapidly on the Internet and generating a huge volume of virus-infected e-mail messages. The new virus versions use a variety of so-called "social engineering" techniques to fool users. Some new variants also hide in password protected ZIP files to slip past antivirus filters and into users' e-mail boxes, said Graham Cluley, a senior technology consultant at Sophos PLC.

Netsky.D, a new version of the Netsky worm, is believed to be the biggest threat in the group. As of Monday, Netsky.D was spreading rapidly on the Internet and flooding e-mail servers with infected messages, according to Cluley.

Some of Sophos' customers were receiving thousands of Netsky.D infected messages each hour. That number could increase on Monday as U.S. workers return to their desks after the weekend, he said.

The original Netsky worm first appeared on Feb. 16. Since then, three more variants have been released on the Internet. Like its predecessors, Netsky.D scans an infected computer's hard drive for files containing e-mail addresses and then sends copies of itself to those addresses, antivirus companies said.

Like its predecessors, Netsky.D affects machines running Microsoft Corp.'s Windows operating system and arrives in e-mail messages with randomly generated subject lines such as "Re: Document," "Re: Your picture" or "Re:approved." The Netsky.D worm disguises its payload as a PIF (Program Information File) attachment that also has a randomly generated name such as "my_details.pif" "document.pif" or "mp3music.pif."

Unlike its predecessors, NetSky.D doesn't spread on peer-to-peer networks, and doesn't use a ZIP file to conceal its contents, according to antivirus company Network Associates Inc.

The gaggle of new Bagle worms that appeared in recent days use many of the same tricks as the new Netsky worms, and some new techniques, according to antivirus companies.

Bagle versions C, D, E, F and G appeared between Saturday and Monday and are variants of the first Bagle worm, which appeared on Jan. 19. All target systems running Windows, harvest e-mail addresses from infected machines and open a TCP (Transmission Control Protocol) port to listen for commands from a remote attacker, according to an alert released by computer security company iDefense Inc.

Bagle.C appears to be the most virulent of the bunch. Sophos has received "hundreds" of reports of messages containing that version, which uses a Microsoft Office 2000 Excel icon to fool users. Other Bagle variants use Windows folder icons, Cluley said.

Bagle versions F and G also use a password protected ZIP file to get past antivirus scanners. Password protected ZIPs have encrypted contents that cannot be read by even sophisticated antivirus scanners. However, virus writers must supply the password information in the body of a message before users can open the ZIP and get to the virus file inside, which makes it harder for the worm to spread, he said.

The use of ZIP files to hide e-mail viruses is increasingly popular among virus writers, he said.

Many recipients may be used to receiving zipped attachments from correspondents and open the Bagle and Netsky attachments out of curiosity, Cluley said.

With e-mail viruses slipping by gateway protections, companies need desktop antivirus software to stop the worm from infecting machines on which it is launched, he said.

Organizations must also invest in user education to stop risky behavior such as opening strange e-mail attachments, he said.

Last weekend's round of virus outbreaks is just the latest in a weeks-long scourge that began in mid- January with the first version of Bagle and has spawned multiple versions of the Bagle, Mydoom and Netsky worms.

"I think its effectively a blitzkrieg," said Cluley.

Despite only modest changes between worm versions, the new Bagle and Netsky variants appear to be the work of the original virus authors, he said.

"Someone who has access to the source code is creating these," he said.

Leading antivirus companies posted software updates to detect the new worm versions and tools to remove the worms from infected machines. Companies advised customers to update their antivirus software as soon as possible to prevent infection.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?