NEWS FROM THE LAB - April 2004


Friday, April 30, 2004

Mydoom vs Netsky Posted by Mikko @ 11:49 GMT

Now that different Netsky variants rule the earth (there are 7 different Netsky variants in top 10 right now), it's easy to forget how big problem the Mydoom worm was just three months ago.

To put things into perspective, here's out stats for 2004 so far, sorted by the percent of all infections:

  1   Mydoom.A  46,4 %
  2   Netsky.D   12,5 %
  3   Netsky.B   10,7 %
  4   NetSky.p   9,7 %
  5   Swen.A     2.0 %
  6   Netsky.Q   1,8 %
  7   Netsky.C   1,6 %
  8   Netsky.T   1,4 %
  9   Dumaru.A   1,2 %
10   Sobig.F    1,1 %

The big peak caused by Mydoom in the end of January is also nicely visible in this graph:

2004 stats

PS. F-Secure's website is ten years old this April. We'll be posting an anniversary site next week...along the lines of the party we threw when our site was two years 1996!


Wednesday, April 28, 2004

Netsky attack status Posted by Sami @ 17:26 GMT

The latest Netsky attack does not seem to cause big hit for most of the sites it attempts to attack. At the time of writing both and are up and running. Only seems to have problems - it is not respoding at all.


Netsky.AB and Bagel.Z are spreading Posted by Katrin @ 17:15 GMT

Two new worms are spreading fast this evening - Netsky.AB and Bagle.Z, so we just upgraded them to Radar level 2. Netsky.AB attachment file's extension is always ".pif". Bagle.Z is similar to Bagle.Y variant, but does not send images in its e-mails.

Bagle.Z has been found Posted by Alexey @ 12:37 GMT

We have received many reports about a new variant of Bagle worm - Bagle.Z. This new variant is similar to the previous one, but it does not send pictures in e-mails.

Netsky.AB Posted by Sami @ 09:51 GMT

Once again a new variant of Netsky - Netsky.AB - has been found.

Another Netsky attack starts Posted by Mikko @ 05:46 GMT

Several Netsky variants will start a new Distributed Denial-of-Service attack either today or on Sunday, targeting these three sites:

The administrators of these sites have been warned, and they have taken measures to protect themselves against the attacks.
Netsky DDoS sites
However, especially the Netsky.X and Netsky.Y variants are quite widespread and the attacks could be quite serious.


Tuesday, April 27, 2004

Going to double digits Posted by Mikko @ 11:04 GMT

New Netsky variant was found early this morning. In our book, this is Netsky.AA - the first Netsky to roll into "double digits". Next one will be Netsky.AB, Netsky.AC etc.

For reference, many large virus families have done this before, including many macro viruses - which typically had tons of minor variants.

The largest malware family ever seems to be Agobot (aka Gaobot or Phatbot), with over 450 variants. Right now the latest variant is Agobot.RO.


CAPJMWord Macro
Jerusalem.1808FVFile infector
LarouxOUExcel Macro
LoveletterCZWord Macro
MarkerLAWord Macro
NpadKBWord Macro
StonedEVBoot sector
ThusGPWord Macro
WazzuHMWord Macro


Bagle.Y naming madness Posted by Mikko @ 09:37 GMT

Antivirus companies are getting out of synch with the Bagle variant letters.

At least the following aliases currently exist for this variant, according to Secunia:



Monday, April 26, 2004

Bagle.Y pictures Posted by Mikko @ 21:22 GMT

So the latest Bagle variant tries to fool users into clicking the attachment by sending messages with contents such as:

I am a honest, kind,loving,with good sense of humor...etc.,looking for true love... or maybe for pen friend.I like cats

And these messages include a JPEG picture of a girl - and another attachment which is actually the virus. The infectious attachment might have a cherry icon.
Bagle.Y icon
The virus contains three different pictures of girls, most likely taken from some dating site. The pictures are shown here blurred, as these girls obviously have nothing to do with the virus.
Bagle.Y girl


New Bagle variant discovered Posted by Alexey @ 16:38 GMT

We received several reports about a new Bagle variant: Bagle.Y. This variant has some new features, it uses encryption for its entire file and adds random garbage to the end of its file as a decoy.

CIH day Posted by Mikko @ 12:52 GMT

Today is the 26th of April.

For several years, this day used to mean worldwide damage caused by the CIH virus. This virus was very widespready during 1998-2000. It was programmed to activate destructively every year on this date, overwriting most of the data on the hard drive and attempting to overwrite the Flash BIOS chip of the computer, making it unbootable.


The CIH virus family is no longer widespread. Last time we saw significant amount of damage (mostly in Asia) was in April 2001. We expect to see no damage now in April 2004.

For more information, see our old Global CIH Virus Information Center.


Friday, April 23, 2004

Virus War History Posted by Mikko @ 12:30 GMT

Here's a closer look to the history of the three main virus families we're currently fighting: Bagle, Netsky and Mydoom.
Viruswar animation (69k image)


Netsky.X composes messages in Turkish Posted by Alexey @ 09:48 GMT

It looks like the Netsky's author mistyped the domain suffix for Turkey - he put '.tc' instead of '.tr'. We came to that conclusion after verifying that the text that is sent to addresses in .tc domain is in Turkish (word by word translation from a online dictionary such as this).


Wednesday, April 21, 2004

We're at the end of the Alphabet Posted by Mikko @ 17:44 GMT

So now we are running out of letters. Netsky.Z was found two hours ago.

First Netsky was found on 16th of February this year. So that's 26 variants in 65 days. Two new variants for every five days...

Like some previous Netsky variants, this one starts a DDoS attack againts three websites: - The Swiss Education Server - Office of Medical Informatics at University of Florida - Niedersächsischer Bildungsserver in Germany

We have no clue why these sites are being targeted.


Today is the third Monday of this week Posted by Mikko @ 13:25 GMT

So last night we spent with Mimail, Mydoom and Netskies. Today so far we've been fighting with a minor .S variant of Blaster (aka Lovsan) as well as a new Dumador variant (Dumador.Q).

There seems to be a lot of code-sharing going on. Open source viruses, perhaps? In fact, the source code of Phatbot is now circulating in the underground, and it starts with this:

Phatbot source


Tuesday, April 20, 2004

Netsky.Y variant is spreading Posted by Katrin @ 23:34 GMT

The new Netsky that we got earlier is not just repacked, but also slightly modified so we are calling it Netsky.Y

This variant sends itself using attachment name that is build from random domain name, random user name and random number: The random number is used as ID in the subject of the infected email.


Re-packed Netsky.X variant found Posted by Alexey @ 19:58 GMT

We have received a re-packed variant of Netsky.X worm. It is already detected by FSAV with the current anti-virus databases.

Busy night Posted by Mikko @ 17:47 GMT

First we had the new Netsky.X variant (matching nicely the Bagle.X found yesterday) - which talks nine different languages in the emails it send. Then a new Mimail variant (Mimail.V) was found, and we just got a report of a new Mydoom variant. This will be Mydoom.J.

Interestingly, this new Mydoom has code parts resembling the Bugbear variants...which might mean one of two things: Mydoom authors are recycling code from Bugbear - or both these viruses are done by the same author. The great Mydoom-Bugbear conspiracy!


Netsky.X sends messages in many languages Posted by Alexey @ 14:21 GMT

Netsky.X sends messages in many different languages: English, Swedish, Finnish, Polish, Norwegian, Portuguese, Italian, French, German and possibly the language of some small island called Turks and Caicos, located in the Atlantic ocean. In many cases the messages are composed incorrectly suggesting that the worm's author did not ask native speakers for translation or used an on-line translation service like Babel Fish.


Netsky.X is spreading Posted by Katrin @ 11:34 GMT

A new Netsky.X has been found today and is spreading. More information will be available at:


Monday, April 19, 2004

New Bagle found Posted by Alexey @ 14:00 GMT

A new variant of Bagle has been found: Bagle.X. This variant does not have it's own replication system - it only drops a version of the Mitglieder trojan to a computer. Apparently Bagle.X is being spread actively by spamming it.

Mass-mailing worm from Hungary Posted by Gergo @ 10:47 GMT

A new mass-mailing worm, called Zafi.A was found from Hungary. The worm sends infected messages in Hungarian language.

The description for Zafi.A was posted here.


Friday, April 16, 2004

Netsky.W worm found Posted by Alexey @ 16:24 GMT

Today we found another new Netsky variant: Netsky.W. It is similar to previous NetSky.P or NetSky.Q variants and it removes Bagle worm if it finds it on an infected computer.

Thursday, April 15, 2004

Netsky.V uses vulnerability to spread Posted by Katrin @ 10:31 GMT

A new Netsky variant was found - Netsky.V. It does not send itself as an attachment but uses HTML emails which exploit vulnerability known as Microsoft Internet Explorer XML Page Object Type Validation Vulnerability and tries to download and execute itself from an infected host.

Saturday, April 10, 2004

The Macintosh MP3 issue Posted by Mikko @ 11:58 GMT

After years of silence, things are happening on the Macintosh platform. A new trojan known as MP3Concept was found recently. This is not a virus, and it has not been seen in the wild, ie. IT'S NOT SPREADING AND INFECTING MACINTOSHES. We're talking about a proof-of-concept example...but an interesting one; partly because it's on a Mac, partly because it's an MP3 file.

Macintosh used to have lots of viruses. In fact, during late 1980s viruses we're considered to be largly a Macintosh problem, not a PC problem. Nowadays of course situation is exactly the opposite, with less than 100 known Macintosh-only viruses and around 90,000 PC viruses (and a couple of hundred macro viruses which work under Microsoft Office in both Mac and Windows).

In fact, with the release of the new Mac OS X, several expert-techie type of users have migrated to the new Macintosh laptops. Partly because the machines are really nice and look cool, partly because they come with 16:9 wide screens, partly because they are faster than the PC counterparts and partly because the operating system nowadays actually runs on top of unix.

Apple Powerbook G4 17 inch (c) Appel 2004

Viruses and MP3 audio files have had a long relationship. There are tons of PC viruses which use filenames like SONG.MP3.PIF and try to fool the user to click on them, expecting to get a song. We've also had several vulnerabilities in common MP3 players such as WinAMP and Windows Media Player. But we haven't seen a "real" MP3 virus.

And this new Mac thing is not a virus either.

In fact, this whole thing has been blown way out of proportion. What happened was that two weeks ago there was discussion in newsgroup comp.sys.mac.programmer.misc about how resources forks operate under Mac, and a Swedish programmer called Bo Lindbergh posted example code to illustrate the issue. The original thread is accessible right here.

After a week or so, it became news. In fact, there's a headline called "The first Trojan horse virus to target Apple's latest operating system was discovered this week" on CNN.COM! Obviously this is not right.

What the MP3Concept trojan does is that when the MP3 file is opened under Mac OS 9 or Mac OS X, it is executed as an application because of fake resources inserted in it. The actual code is stored in the ID3 tag of the file, and it will display a message like this:

MP3Concept screenshot, source:

The audio data in the example MP3 file that was distributed actually contains man's laughter. Yeah, that's interesting, although it has no importance whatever. So we've extracted the laughter to a WAV file which you can listen to by clicking here.

Do note that F-Secure does not have a Macintosh antivirus. We used to, though. F-Secure was actively distributing and developing a Macintosh antivirus product between 1991 and 1998, but nowadays we only do Windows and Linux.


Thursday, April 8, 2004

Follow-up on the Netsky.Q DDoS attack Posted by Mikko @ 21:33 GMT

ZDNet is now covering the Netsky.Q DDoS attack which has been able to take down several of the sites it targets.

Sites such as and seems to work fine, but is seriously bogged down...and the owners of and have set the hosts to point to localhost.

Netsky.Q DDoS aftermath


Yet another Netsky variant Posted by Sami @ 07:42 GMT

Once again, yet another Netsky variant has been found - Netsky.U .

Wednesday, April 7, 2004

Update on the Netsky.Q DDoS Posted by Mikko @ 20:16 GMT

The sites that Netsky.Q is attacking against right now seem to be working fairly well. Of the sites under attack only seems to be totally unreachable, and is operating abnormally slow.


New variant of Mitglieder trojan spammed Posted by Alexey @ 18:56 GMT

A new variant of Mitglieder trojan was spammed in e-mail messages today: Mitglieder.AI. Similar trojan variants were dropped by Bagle worms in the past.

Netsky.Q DDoS started Posted by Mikko @ 09:20 GMT

Netsky.Q starts it's DDoS attack today, on the 7th of April. It will continue the attack until the 12th. The attack is targeting these sites:

Some of these sites have taken precausions, including the Emule Project:

emule screenshot

According to our statistics, Netsky.Q is in the TOP 10 of viruses in the wild right now.


Tuesday, April 6, 2004

New variant of Bugbear/Tanatos worm found Posted by Alexey @ 14:45 GMT

We have received a sample of a new variant of Bugbear (also known as Tanatos) worm. The Bugbear.E worm sends itself in e-mails and steals personal information.

Lovgate: Repacked Posted by Ero @ 11:53 GMT

Starting from yesterday, we have already seen several samples of Lovgate.W packed with ASPack and/or JDPack multiple times. Their functionality remains the same, the changes only afftect its size.

For more information:


Another Netsky variant found Posted by Alexey @ 10:41 GMT

The Netsky.T variant has been found. It is very close to the yesterday's Netsky.S variant, but lacks one text string array (the one with fake anti-virus scan reports). Detection for this variant is available since yesterday.

Monday, April 5, 2004

...and a new Bagle.W Posted by Katrin @ 14:08 GMT

What a Monday!

Today we got new Lovgate (two different packing) and a new Netsky variant...and now we got a new Bagle.W


...and a new Netsky Posted by Mikko @ 08:11 GMT

We have found a new Netsky variant (Netsky.S). This new variant has a backdoor that allows to download and run executable files on an infected computer. Netsky doesn't uninstall Bagle any more, so is the war over ?

For reference, here's the sizes of the known Netsky variants:

A: 21504 bytes
B: 22016
C: 25353
D: 17422
E: 24840
F: 18432
G: 27648
H: 22528
I: 22016
J: 27648
K: 22016
L: 16896
M: 16896
N: 33792
O: 16384
P: 29568
Q: 28008
R: 20624
S: 18432


New Lovgate Posted by Mikko @ 07:47 GMT

New variant of the Lovgate family was found during Sunday-Monday night. There's been a burst of activity in this family recently.

The first Lovgate variants were already found more than a year ago, in February 2003. We saw a series of variants between February and June (variants A-M), then a lone N variant in September 2003 and now a new series (variants O-W) which started on March 13th 2004.


Sunday, April 4, 2004

Sober.F spreading in the wild Posted by Mikko @ 16:22 GMT

A new variant of the Sober family was found. Again on Sunday. The author of this worm apparently always distributes his latest variants on Sundays. Sober.E was found a week ago on Sunday afternoon and Sober.D was found three weeks before that on Sunday-Monday night.

This new one (known as Sober.F or also as I-Worm.Vb.C) sends highly variable German and English emails which always have an PIF or ZIP attachment. The virus is 42496 bytes long.

We expect most of the infections caused by this worm to be located in Central Europe.


Friday, April 2, 2004

Added exact detection for several Java/Needy variants Posted by Jarno @ 15:53 GMT

Just finished adding a bunch of variants of Java/Needy Trojan family. This week we have added from Needy.D to Needy.I.
Basically all of them are quite similar in functionality. A Trojan is downloaded from malicous web site and executes using vulnerability in Internet Exlorer Java runtime, and changes IE homepage and search settings and optionally download more trojans to the system.

The best protection against these trojans is to make sure that Internet Explorer has the latest security patches.