Conventional wisdom claims March comes in like a lion and goes out like a lamb. But with new versions of the Bagle email worm and a virulent new form of Netsky virus, March's arrival is looking more like a worm.
Five new versions of Bagle appeared over the weekend, as did a new version of Netsky that is spreading rapidly on the internet and generating a huge volume of virus-infected email messages.
The new virus versions use a variety of so-called "social engineering" techniques to fool users. Some new variants also hide in password protected ZIP files to slip past antivirus filters and into users' email boxes, according to Graham Cluley, a senior technology consultant at Sophos.
Netsky.D, a new version of the Netsky worm, is believed to be the biggest threat in the group. As of Monday, Netsky.D was spreading rapidly on the Internet and flooding email servers with infected messages, according to Cluley.
Some of Sophos' customers were receiving thousands of Netsky.D infected messages each hour.
The original Netsky worm first appeared on 16 February. Since then, three more variants have been released on the Internet. Like its predecessors, Netsky.D scans an infected computer's hard drive for files containing email addresses and then sends copies of itself to those addresses.
Like its predecessors, Netsky.D affects machines running Microsoft's Windows operating system and arrives in email messages with randomly generated subject lines such as "Re: Document," "Re: Your picture," or "Re:approved."
The Netsky.D worm disguises its payload as a PIF (Program Information File) attachment that also has a randomly generated name such as "my_details.pif," "document.pif," or "mp3music.pif."
Unlike its predecessors, NetSky.D doesn't spread on peer-to-peer networks, and doesn't use a ZIP file to conceal its contents, according to antivirus company Network Associates.
The gaggle of new Bagle worms that appeared in recent days use many of the same tricks as the new Netsky worms, and some new techniques.
Bagle versions C, D, E, F, and G appeared between Saturday and Monday and are variants of the first Bagle worm, which appeared on 19 January. All target systems running Windows, harvest email addresses from infected machines, and open a TCP (Transmission Control Protocol) port to listen for commands from a remote attacker, according to an alert released by computer security company IDefense.
Bagle.C appears to be the most virulent of the bunch. Sophos has received "hundreds" of reports of messages containing that version, which uses a Microsoft Office 2000 Excel icon to fool users. Other Bagle variants use Windows folder icons, according to Cluley.
Bagle versions F and G also use a password protected ZIP file to get past antivirus scanners. Password protected ZIPs have encrypted contents that cannot be read by even sophisticated antivirus scanners. However, virus writers must supply the password information in the body of a message before users can open the ZIP and get to the virus file inside, which makes it harder for the worm to spread.
The use of ZIP files to hide email viruses is increasingly popular among virus writers.
Many recipients may be used to receiving zipped attachments from correspondents and open the Bagle and Netsky attachments out of curiosity, according to Cluley.
With email viruses slipping by gateway protections, companies need desktop antivirus software to stop the worm from infecting machines on which it is launched.
Last weekend's round of virus outbreaks is just the latest in a weeks-long scourge that began in mid- January with the first version of Bagle and has spawned multiple versions of the Bagle, Mydoom, and Netsky worms.
"I think its effectively a blitzkrieg," says Cluley.
Despite only modest changes between worm versions, the new Bagle and Netsky variants appear to be the work of the original virus authors, according to Cluley.
"Someone who has access to the source code is creating these," he says.