[Dshield] Several New Worms

Jon R. Kibler Jon.Kibler at aset.com
Tue Feb 17 23:57:00 GMT 2004

We have had several calls and emails today about the new Beagle.B 
worm infecting systems. We have also seen multiple occurrences of 
NetSky, Gibe.F, Welchia.B, Welchia.C, DeadHat.B, and a new PayPal 
scam blocked by our mail AV scanners. In total, we have seen over 
a dozen different types of malware which we have never observed in 
the wild before today.

Thus, we started to write a short 'security alert' to our customers.
However, it grew into a review of what we believe our customers should 
be doing at an absolute minimum to protect themselves from malware. I 
thought I would share it with the DShield list -- Yes, it is neither
complete or comprehensive, but I thought it may be of interest to
members of this list.

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Subject: PLEASE update your anti-virus software TODAY!


Just a heads-up... There are at least 7 new computer worms that have been 
discovered in the past few days. We have observed several of them yesterday 
and today. Probably the worst, Beagle.B, just came out today. Beagle.B is 
another one of the spamiruses (spammer created viruses) that infects your 
computer and provides spammers complete access to your system.

Some of these new worms only effect NT versions of Windows (NT/2000/XP), but 
most effect all versions of Windows (including, 95/98/ME/NT/2000/XP).

Bottom line... update your anti-virus software NOW!

Previously, we had been recommending that everyone update their anti-virus 
software every night using the software's auto-update feature. (Your computer 
must be on for this to work!) However, with the recent onslaught of new 
viruses and worms (now averaging 15 to 20+ new, serious, widespread 
viruses/worms per week), we have changed our recommendations, to be as 
  1) For home users, update your anti-virus software at least once a day, 
     and do so before checking your email. Where possible, set the 
     auto-update feature to run nightly. Hint: For best performance, do 
     not run your auto-update at xx:00, or xx:30. Rather, choose some 
     random time not on the hour or half-hour.

  2) For small businesses, update your anti-virus software before the start 
     of business each day and at least one time 8 to 10 hours later during 
     the work day. Again, set your auto-update feature to do the work for 

  3) For larger organizations, or organizations with a high volume of 
     email, update your anti-virus software several times during the work 
     day. (For our TRUSTEM.COM Email Filtering Service and for our Family 
     Friendly Email Service, we update our anti-virus software every 30 

It is critical that everyone regularly update their anti-virus software! 
Why? Because the length of time between when a new virus is first reported 
and when it becomes widely distributed is becoming shorter and shorter. For 
example, within an hour of our updating for the new Beagle.B worm, we saw 
our first instance where the worm was included in an email attachment. (In 
anticipation of the day when viruses and worms spread faster than anti-virus 
software vendors can update their software, we have developed several other 
strategies to block and identify unknown worms and viruses sent as email 

With spammers clearly responsible for most of the new email worms, and 
spammers using their already compromised systems to rapidly spread these 
worms, the day is soon approaching where worms will become widespread
before any of the anti-virus software vendors are able to publish updates 
to detect these worms. Thus, it is important to emphasize good email 
security practices, namely:
  1) Subscribe to your anti-virus software vendor's update notification 
     service. This service will send you notices whenever critical updates 
     to your anti-virus software are available.

  2) NEVER open an email attachment unless it is BOTH from someone you 
     know AND you were expecting to receive an email from that person 
     with that attachment.

  3) Configure your anti-virus software to scan each email as it is 
     being opened.

  4) NEVER reply to an email from an unknown source, or click on a 
     "remove me" link supplied in the email. (Doing so, will only 
     guarantee that you receive even more junk email!)

  5) When possible, always read your email off-line. That is, either 
     disconnect from the Internet before opening your email (and 
     cancel any autoconnection attempt that results from opening an 
     email!), or choose your email program's "Work Off-line" option 
     (Netscape and Mozilla) before opening your email.

Finally, four comments about computer security in general.
  1) The Department of Homeland Security has a new computer security 
     alert mailing list. The information we have received from this 
     list so far has been first rate. There are both technical and 
     non-technical mail lists available. We recommend that everyone 
     with a computer subscribe to the list they feel is most appropriate 
     for their level of expertise.

       Overview: http://www.dhs.gov/dhspublic/interapp/press_release/press_release_0337.xml
       Subscribe: http://www.us-cert.gov/
       Security tips: http://www.staysafeonline.info/

  2) The most critical thing you can do to protect your computer is to 
     keep your software updated with the latest security patches. This is 
     ESPECIALLY true if you are using any Microsoft Windows operating 
     system, and CRITICAL if you are using Windows/XP. Again, use your 
     auto-update feature to keep up to date with the latest security 
     patches. Businesses should subscribe to each of their software 
     vendor's security mailing lists to be alerted whenever critical new 
     problems are discovered.

  3) Anti-virus software is no longer adequate to protect most computers 
     from being hijacked by computer criminals. EVERY computer should have 
     firewall software installed and configured for maximum security. This 
     is CRITICAL if you are running Windows 2000/XP, Linux, or Mac OS/X. 
     For Windows XP, the built-in firewall is adequate for most home users.
     However, it is disabled by default, and must be manually enabled and 
     fully configured before it will provide any protection. Users of 
     other versions of Windows or other operating systems will need to buy, 
     install, and configure firewall software. Any computer without a 
     firewall is a computer just asking to be hijacked!

  4) Be wary of Instant Messaging! When it is improperly configured, 
     hackers, spammers, and other miscreants can use IM to load files onto 
     your computer, access files on your computer, and otherwise compromise 
     your system. (The default configuration of most IM software is very
     insecure and must be manually changed to ensure adequate security.)
     IM is destined to be the next means used to send spam and otherwise 
     compromise your computer system and its programs and data.

Hope this info helps... Please pass on to friends, family, and business 

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list