" new Netskty & 5 new Bagle versions on the loose

F-Secure Warns on the outbreaks caused by a "Virus Weekend"
Two new versions of Netsky and five new versions of Bagle found since Friday

Virus writers have been busy over the last days, with two new variants of theNetsky worm and five new variants of the Bagle worm found since Friday the 27th of February. Out of these worms, Netsky.D - found on Monday the 1st of March - is the most widespread.

The Netsky virus family consists of fairly simple Windows worms, which spread over email. Apart from spreading aggressively by sending infected PIF attachments around they do very little. The only unusual feature is that Netsky.D will start to play a loop of random beeps from the PC speaker on the morning of Tuesday the 2nd of March.

"We believe the reason for Netsky.D spreading so fast is because it was apparently spammed to a large amount of email addresses during Monday", says Mikko Hypponen, Director of Anti-Virus Research at F-Secure. "If it continues spreading at these levels it might go on to break the previous records set by Mydoom.A and Sobig.F", he continues.

F-Secure raised Netsky.D to F-Secure Radar Level 1 Alert during Monday. Level 1 is the highest alert level.

All the new Bagle variants known as Bagle.C, .D, .E, .F and .G were found during the weekend. The original Bagle.A (also known as Beagle) is a Windows email worm that was first discovered on January 18th, 2004, and became globally widespread in just 24 hours.

All the five new versions of Bagle seem to be written by the same virus
author. "It seems the writer is waging a virus war", says Hypponen.
"Apparently he has been monitoring closely how quickly the antivirus vendors have released detections, then made the necessary alterations to avoid detection and released new versions immediately", he continues.

F-Secure raised Bagles to F-Secure Radar Level 2 Alert during the weekend.

Bagle.F and .G have an interesting feature in them. Both of them send infected files inside ZIP archives encrypted with a password that is mentioned in the email message. The ZIP itself is variable, as the EXE inside has a random part in it. Most probably the virus this way tries to bypass detection of gateway and server scanners, which might not be able to decrypt such archives.

In addition to this feature, Bagle.F uses deceiving icons for the infected
attachments that look like folders, and thus may seem harmless to the end user.

Pictures of the Bagle folder icons can be seen in the F-Secure Weblog, which follows developments on these new viruses. Also a recording of the beep sound loop played by Netsky.D can be downloaded from the weblog which is available at: http://www.f-secure.com/weblog/.

F-Secure Anti-Virus can detect and remove all the new Netsky and Bagle variants. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com.

F-Secure has also released free tools, which can be used to remove Bagle or Netsky from infected systems. The tools can be downloaded through the F-Secure Virus Information Center at http://www.f-secure.com/v-descs/