Netsky Variants Dominate Virus Payload in March

The pesky Netsky worm dogged Web computers during the month of March, accounting for 60 percent of all malicious e-mail tracked by antivirus firm Sophos.

Five of the top 10 viruses tracked during the month, including all of the top three, were variants of Netsky. Some 15 versions of the worm were active during the period. All told, some 18 variants of Netsky have been identified. Four of those variants first appeared in March.

Rival antivirus firm Trend Micro lists Netsky variants as the top five threats facing computers worldwide.

The second most prevalent threat, the Bagle worms, made up around 10 percent of all malware tracked during March, Sophos said, with four variations among the most active.

Competition, But No Prize

Sophos security consultant Carole Theriault said it appears the authors of the Bagle and Netsky worms are vying for top virus-writing honors, scripting slight variants that can pass through even updated antivirus filtering software.

“The authors of the Netsky and Bagle worms have been battling for virus-writing supremacy,” Theriault said. “As the argument between the two virus writers escalated, a torrent of new worms was released.”

Security firm iDefense recently reported that some variants of Netsky actually were designed to remove the Bagle.C variant from infected machines — further proof that the virus onslaught was the result of a hacker back-and-forth.

Variations on a Theme

Gartner analyst Martin Reynolds told the E-Commerce Times that follow-up variants of worms appear to be gaining in popularity, in part because variants are relatively easy to create by altering just a few lines of code.

He also said the variants’ ability to evade some antivirus gateways emphasizes the need for enterprises to have layered defenses and strong policies about activating programs embedded in e-mails.

“The user is the last line of defense, but a lot of these worms are clever in the way they get people to click on the programs,” Reynolds said. “The social engineering involved is getting more and more sophisticated.”

Tricky Business

According to Sophos, many of the Netsky worms arrive in e-mails that appear to be bounced-back or undelivered messages containing attachments and abrupt messages such as “is this your file?”

The Bagle.J variant, by contrast, mimics a user’s e-mail server name, bears messages warning that the user’s e-mail program is already infected, and urges the user to run attached programs to clean up the virus infection.

All told, Sophos identified some 824 new viruses in March. As usual, however, the majority of the impact came from just a few viruses.

Sophos said topping its list of e-mail hoaxes during the month was a trick targeting Hotmail that encouraged users to send a bogus e-mail to all of the people on their address lists.