[Dshield] Several New Worms
Jon R. Kibler
Jon.Kibler at aset.com
Tue Feb 17 23:57:00 GMT 2004
We have had several calls and emails today about the new Beagle.B
worm infecting systems. We have also seen multiple occurrences of
NetSky, Gibe.F, Welchia.B, Welchia.C, DeadHat.B, and a new PayPal
scam blocked by our mail AV scanners. In total, we have seen over
a dozen different types of malware which we have never observed in
the wild before today.
Thus, we started to write a short 'security alert' to our customers.
However, it grew into a review of what we believe our customers should
be doing at an absolute minimum to protect themselves from malware. I
thought I would share it with the DShield list -- Yes, it is neither
complete or comprehensive, but I thought it may be of interest to
members of this list.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Subject: PLEASE update your anti-virus software TODAY!
Just a heads-up... There are at least 7 new computer worms that have been
discovered in the past few days. We have observed several of them yesterday
and today. Probably the worst, Beagle.B, just came out today. Beagle.B is
another one of the spamiruses (spammer created viruses) that infects your
computer and provides spammers complete access to your system.
Some of these new worms only effect NT versions of Windows (NT/2000/XP), but
most effect all versions of Windows (including, 95/98/ME/NT/2000/XP).
Bottom line... update your anti-virus software NOW!
Previously, we had been recommending that everyone update their anti-virus
software every night using the software's auto-update feature. (Your computer
must be on for this to work!) However, with the recent onslaught of new
viruses and worms (now averaging 15 to 20+ new, serious, widespread
viruses/worms per week), we have changed our recommendations, to be as
1) For home users, update your anti-virus software at least once a day,
and do so before checking your email. Where possible, set the
auto-update feature to run nightly. Hint: For best performance, do
not run your auto-update at xx:00, or xx:30. Rather, choose some
random time not on the hour or half-hour.
2) For small businesses, update your anti-virus software before the start
of business each day and at least one time 8 to 10 hours later during
the work day. Again, set your auto-update feature to do the work for
3) For larger organizations, or organizations with a high volume of
email, update your anti-virus software several times during the work
day. (For our TRUSTEM.COM Email Filtering Service and for our Family
Friendly Email Service, we update our anti-virus software every 30
It is critical that everyone regularly update their anti-virus software!
Why? Because the length of time between when a new virus is first reported
and when it becomes widely distributed is becoming shorter and shorter. For
example, within an hour of our updating for the new Beagle.B worm, we saw
our first instance where the worm was included in an email attachment. (In
anticipation of the day when viruses and worms spread faster than anti-virus
software vendors can update their software, we have developed several other
strategies to block and identify unknown worms and viruses sent as email
With spammers clearly responsible for most of the new email worms, and
spammers using their already compromised systems to rapidly spread these
worms, the day is soon approaching where worms will become widespread
before any of the anti-virus software vendors are able to publish updates
to detect these worms. Thus, it is important to emphasize good email
security practices, namely:
1) Subscribe to your anti-virus software vendor's update notification
service. This service will send you notices whenever critical updates
to your anti-virus software are available.
2) NEVER open an email attachment unless it is BOTH from someone you
know AND you were expecting to receive an email from that person
with that attachment.
3) Configure your anti-virus software to scan each email as it is
4) NEVER reply to an email from an unknown source, or click on a
"remove me" link supplied in the email. (Doing so, will only
guarantee that you receive even more junk email!)
5) When possible, always read your email off-line. That is, either
disconnect from the Internet before opening your email (and
cancel any autoconnection attempt that results from opening an
email!), or choose your email program's "Work Off-line" option
(Netscape and Mozilla) before opening your email.
Finally, four comments about computer security in general.
1) The Department of Homeland Security has a new computer security
alert mailing list. The information we have received from this
list so far has been first rate. There are both technical and
non-technical mail lists available. We recommend that everyone
with a computer subscribe to the list they feel is most appropriate
for their level of expertise.
Security tips: http://www.staysafeonline.info/
2) The most critical thing you can do to protect your computer is to
keep your software updated with the latest security patches. This is
ESPECIALLY true if you are using any Microsoft Windows operating
system, and CRITICAL if you are using Windows/XP. Again, use your
auto-update feature to keep up to date with the latest security
patches. Businesses should subscribe to each of their software
vendor's security mailing lists to be alerted whenever critical new
problems are discovered.
3) Anti-virus software is no longer adequate to protect most computers
from being hijacked by computer criminals. EVERY computer should have
firewall software installed and configured for maximum security. This
is CRITICAL if you are running Windows 2000/XP, Linux, or Mac OS/X.
For Windows XP, the built-in firewall is adequate for most home users.
However, it is disabled by default, and must be manually enabled and
fully configured before it will provide any protection. Users of
other versions of Windows or other operating systems will need to buy,
install, and configure firewall software. Any computer without a
firewall is a computer just asking to be hijacked!
4) Be wary of Instant Messaging! When it is improperly configured,
hackers, spammers, and other miscreants can use IM to load files onto
your computer, access files on your computer, and otherwise compromise
your system. (The default configuration of most IM software is very
insecure and must be manually changed to ensure adequate security.)
IM is destined to be the next means used to send spam and otherwise
compromise your computer system and its programs and data.
Hope this info helps... Please pass on to friends, family, and business
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list