By Bob Sullivan Technology correspondent
updated 2/18/2004 6:21:07 PM ET 2004-02-18T23:21:07

Internet users who have barely finished cleaning up the mess left in their inboxes by the recent Mydoom virus outbreak are discovering there's plenty more where that came from. Antivirus companies have already rung the alarm bell twice this week, with two new e-mail pests making the rounds at a fairly steady clip. 

Ironically, the Netsky virus, discovered on Wednesday, is designed in part to repair Mydoom-infected machines.

Netsky spread quickly on Wednesday morning, with most antivirus firms assigning it a medium risk rating. It's a tricky bug for consumers to spot, as its subject lines and included message are almost completely random. Among the subject lines spotted so far by researchers: "I found this document about you," "Is that true," "my hero," and "You are a bad writer."  Users must click on the attached message — which also has a random name — to become infected.

The messages are simple, but tempting, said Joe Telafici, virus researcher at Network Associates Inc.

"The trend lately is very vague messages," he said.  "Sometimes just two words (or)  'Check this out.'"

Another trend this worm is following: It essentially removes both Mydoom and MiMail viruses when it attacks a machine. The virus writer's motivation for doing so is unclear, although Telafici said there's a message buried inside Netsky's code that suggests the author fancies himself or herself as part of an antivirus company.

By midday ET Wednesday, Network Associates was receiving between 40 and 50 submissions per hour from customers, a rate well below that of Mydoom, but higher than most viruses during their initial stages. Symantec Corp. was receiving about the same amount of submissions, according to Senior Director of Engineering Alfred Huger. 

"It seems to be still spreading steadily," Huger said.

An initial version of Netsky was released on Monday, but it failed to spread. Apparently, the author made adjustments to the worm, and the improved Netsky.B started infecting computers Wednesday morning.

New Bagel has backdoor
The only good news about Netsky: It doesn't appear to do anything malicious to infected machines, Huger said.  "It's only goal is to spread."

That's not true of another upgraded worm, Bagel.B, which began infecting computers on Tuesday morning. Bagel.B, which is also rated a medium threat by most antivirus companies, leaves a backdoor on infected machines. It sends an electronic notification to Internet addresses in Germany whenever a machine is infected.

Even though the spread of Bagel.B has leveled off considerably, Huger said the backdoor component means it's a bigger threat than Netsky.

"The threat from the backdoor is significant," he said. Like many worms of late, researchers speculate the virus writer intends to use compromised machines to launch spam campaigns.

The initial Bagel worm, discovered in mid-January, didn't spread quickly, but Tuesday's version made its mark.  Antivirus firm MessageLabs said it had trapped 95,000 copies of the worm by lunchtime Tuesday.

"We were getting 10,000 an hour at one point," said MessageLabs CTO Mark Sumner.  "Then it started to level off.  It peaked yesterday."

And like Netsky, it is hard for consumers to spot because its subject lines and message body are randomly generated.

© 2013 Reprints


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments