Computer Virus Families: Origins and Differences

Klez.F and Klez.I or Opaserv, Opaserv.D and Opaserv.H are just some examples of malicious code which due to common characteristics and roots are grouped into families by the antivirus industry. “The biggest families like I Love You or the veteran Marker can have as many as 60 variants,” explains Luis Corrons, Virus Laboratory Director at Panda Software.

Sometimes a new variant of malicious code originates from another virus which has been modified. On other occasions, the authors of the virus create them using the basic features that define a family of viruses as a type of template. For this reason, some malicious code come in a series, behaving basically in the same way with only minimal differences such as the subject of the e-mail they arrive in or their ability to carry out certain actions, as the examples below illustrate:

Variants “I” and “F” of Klez: both are spread through e-mail and take advantage of the same vulnerability detected in the Internet Explorer navigator (corrected by Microsoft), which makes it possible to execute the attached file automatically when viewed in the Preview Pane. The versions differ in the following ways:

Klez.I is sent in an e-mail message with text and has two attached files. The objective of this malicious code is to stop certain processes and erase files in infected computers.

Klez.F: is sent in an e-mail with no text and includes only one attached file. It modifies some of the system controls (preventing the system from starting up correctly) and overwriting executable files, rendering them useless.

W32/Opaserv and W32/Opaserv.D are able to spread through networks and they attempt to access a web page to update some of their components. In order to infect, both worms create SCRSVR.EXE in the Windows directory, which contains their infection code. In addition W32/Opaserv.D generates the file TMP.INI in the root directory of the hard drive and enters an instruction in WIN.INI to activate the worm.

Opaserv.H is different in that the file that contains it comes in different sizes and is compressed with the PCShrink utility, which encrypts the code that causes the infection. The “J” variant of Opaserv has the ability to create various files in the infected computer. Among them “INSTIT.BAT”, copies the worm that contains the infection code. “GUSTAV.SAT” and “INSTITU.VAT” are generated to exchange information with the web page they connect to.

I love you: variants differ, principally in the characteristics of the messages that are sent. The names of the attached files, the web pages they connect to and the file extensions which they affect, are all variable. The appearance within just a few hours of successive variants contributed greatly to their ability to spread.

Corrons also explained how, “Some variants still manage to spread, even though for some time now antivirus solutions have been available to detect and neutralize them.” One example is the “I” variant of Klez, which appeared in April and still remains the most damaging malicious code affecting users over the past seven months, according to data collected by Panda ActiveScan. “There’s no doubt,” said Corrons, “Klez.I continues to spread because users are not taking the proper security measures to protect themselves.” These measures include:

• Use a good antivirus and update it regularly
• Treat e-mails received with caution.
• Avoid downloading programs from unsafe Internet sites.
• Reject unsolicited files when you are using chat or news groups.
• Update software installed including the recommended patches from the manufacturer.