April 2005 was a month of worms. Worms in general are on the decline: the number of different worms and versions detected this month is so far unprecedented this year.
After a month in hibernation, Bagle made a reappearance, this time as Email-Worm.Win32.Bagle bi. This latest version was detected on 15th April, with the most recent previous version having been detected on 12th March. Since April 15th, seven new modifications of Bagle (.bi – .bn) have appeared. Additionally, the detection Bagle.pac will identify a number of other new versions which also appeared this month. The authors of Bagle are now seeing how fast they can react when new antivirus databases are released – the new versions of Bagle appeared a mere 15 minutes after updates containing detection for previous modifications were issued. Typically, April’s Bagle versions appeared after midnight Moscow time.
Strictly speaking, Bagle isn’t an email worm, or even a worm any longer, as it is not able to self replicate. The new versions of Bagle were sent out using spam technologies – users received a program containing a long list of Internet addresses where they could allegedly download files. Other malicious programs will then be placed on the sites listed in the email – SpamTool.Win32.Small is a case in point here. This program will harvest email addresses from the victim machine and send them to the author/ user of SpamTool. It’s very probably that new versions of the worm are sent to the addresses harvested by SpamTool. It’s also extremely likely that these addresses are then sold on to spammers. So Bagle has evolved into something more than a worm – it’s part of a well-thought out process on the part of spammers to gain new addresses, and to create new zombie machines for use in botnets. Even though the latest versions of Bagle do not propagate, simply launching the worm will turn the victim machine into a zombie.
Apart from Bagle, 25 new versions of Networm-Win32.Mytob were also detected in April. This worm propagates via email and also penetrates machines by the LSASS vulnerability. Mytob.c took first place in April’s Virus Top Twenty, probably because of the fact that it propagates via a Windows vulnerability. This means that the majority of users have not installed Windows security updates, even critical ones. Timely patching is essential in order to maintain system security.
However, the worm leading in terms of number of versions was IM-Worm.Win32.Kelvir, which appeared in 38 new versions this month. One of the modifications which was detected this month, Kelvir.k, uses an interesting social engineering approach: instead of sending a link to a .pif or a .scr file, the worm sends a link to a file with a .php extension. The processing routine used for php files makes it possible for a malicious user to add any numbers or addresses to the link and this data will be sent to the server when the link is clicked. In the case of Kelvir.k, the IM users’s MSN address will be added to the link.
- IM user #1 email address
- IM user #2 email address
- User #1 gets a link like this
- User #2 gets a link like this
When the link is clicked, a prompt appears asking if the file should be saved or executed. This should ring a warning bell in many users’ minds, and hopefully the majority of them will simply take no further action.
However, as soon as the user clicks on the link, their email address will be forwarded to the malicious remote user. This means that the address will be added to spam databases, whether or not the user launches the worm itself.
It seems likely that in the coming months virus writers will continue to hone their social engineering skills, as users are becoming more cautious and the old methods are not working as well as they used to. Email worms are likely to fall further and further out of favour; mass mailing of downloaders will rise, with the aim of creating more and more bot nets.