http://www.eweek.com/article2/0,1759,1541834,00.asp March 2, 2004 By Dennis Fisher and David Morgenstern The virus onslaught continued late Tuesday as new versions of Bagle and MyDoom hit the Internet. The latest versions appeared to serve as digital graffiti, with the code delivering secret messages to the anonymous authors of other "competing" worms. According to analysis by security firm F-Secure Corp., the Bagle.J and MyDoom.G worms contain hidden messages aimed at the author of the NetSky worm. For example, Bagle.J includes the text: "Hey, NetSky, f**k off you b***h, don't ruine our bussiness, wanna start a war ?" MyDoom.G also attacked NetSky's author: "To netsky's creator(s): imho, skynet is a decentralized peer-to-peer neural network. we have seen P2P in Slapper in Sinit only. they may be called skynets, but not your sh**y app." Versions of NetSky spread rapidly across the Internet in February. F-Secure analysts said the MyDoom variant was functionally similar to the original MyDoom.A worm. The latest Bagle worm continued its social-engineering vector with a variable message aimed at corporate users, offering advice on e-mail account utilization. It comes as a pass-word-protected ZIP file with a Wordpad icon. One posting on the F-Secure Lab's Weblog suggested that Bagle is getting "more and more clever about the messages it sends. The latest variant can send widely variable mails, referencing the recipients' company or domain name directly." Earlier in the day, the Bagle.H worm struck. The newest version of the constantly morphing virus also arrived in a password-protected ZIP archive. Once executed, Bagle.H copies itself to folders for several popular peer-to-peer applications in an attempt to spread via shared files. Bagle.H, which is rated as a medium risk by the AVERT team at Network Associates Inc., also listens on TCP Port 2745 for instructions from remote hosts. The virus has an expiration date of March 25 and is spreading fairly quickly, experts said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Mar 03 2004 - 02:42:55 PST