Klez Worm is Most Prolific Virus of the Year

Windows 32 viruses take clean sweep of 2002 virus chart

Sophos, a world leader in corporate anti-virus protection, has revealed that the Klez worm has accounted for almost a quarter of reports to Sophos’s customer support department during 2002. Klez topped Sophos’s monthly chart for seven months in succession this year – officially making it 2002’s most prolific virus. The second most common virus was the Bugbear worm, which makes the number two slot even though it was only detected in October 2002. In third place comes Badtrans, the password stealing worm which was first detected in November 2001.

Nine of the viruses in the 2002 top ten are mass mailing Windows 32 viruses, the exception being the Elkern virus which is dropped by Klez. 87 per cent of all reports of infections during 2002 concerned Windows 32 viruses.

Sophos has detected 7,189 new viruses, worms and Trojan horses to date this year, bringing the total protected against to more than 78,000. On average, the Sophos virus labs produce detection routines for more than 25 new viruses each day.

The top ten figures for the year, as recorded by Sophos’s customer support department, are as follows with the most frequently occurring virus at number one:

The top ten figures for the year, as recorded by Sophos’s customer support department, are as follows with the most frequently occurring virus at number one:

1. W32/Klez (Klez worm) 24.1%
2. W32/Bugbear (Bugbear worm) 17.5%
3. W32/Badtrans (Badtrans worm) 14.6%
4. W32/Elkern (Elkern virus) 4.6%
5. W32/Magistr (Magistr worm) 4.2%
6. W32/MyParty (MyParty worm) 2.2%
7. W32/Sircam (Sircam worm) 2.0%
8. W32/Yaha (Yaha worm) 1.9%
9. W32/Frethem-Fam (Frethem-Fam worm) 1.4%
10. W32/Nimda (Nimda worm) 1.2%

Others 26.3%

“Unlike previous chart toppers like the LoveBug, which disappeared almost as quickly as it arrived, Klez is the ultimate in slowburning worms. It has managed to consistently infect users throughout the year,” said Graham Cluley, senior technology consultant at Sophos Anti-Virus. “Protection against Klez has been available for as long as the worm has been circulation. The only possible explanation for its continued ‘success’ is that some users are habitually neglecting to update their anti-virus software.”

Other developments in 2002:

Worms adopt ‘sender forging’ technique
High profile Windows 32 viruses such as the Klez and Yaha worms substituted the email address of the real sender of the worm with that of an alternative but legitimate email address. This has lead to a flurry of accusations that innocent computer users have sent the worms to customers, suppliers and colleagues. In some cases, Mac users have been blamed of sending the Klez worm, even though it is impossible for their Macs to be infected. This has caused embarrassment to some managed email security companies that have been falsely accusing users of forwarding viral code.

The law cracks down on cybercriminals
In May, David L. Smith, author of the Melissa worm which was the inspiration for many subsequent email-aware worms, was sentenced in the US to a 20-month custodial sentence and fines totaling 7,500 US dollars.

In the UK, the ‘Surbiton hacker’ (who has yet to be named) was arrested for authoring a Linux hacking tool following a joint investigation by Scotland Yard and the FBI. Llandudno resident Simon Vallor was also arrested and charged with writing and distributing three mass-mailer worms, including the Gokar worm. He is due to appear in court in December 2002. Finally, the US Government is currently seeking the extradition of Gary McKinnon of London, who it accuses of hacking into confidential Government and military networks.

Hoaxes cause confusion
The JDBGMGR virus hoax – an email duping users into deleting a legitimate file from their PCs – was first spotted in April 2002 and has topped Sophos’s hoax chart every month since May. Indeed, ‘JDBGMGR’ was the second most searched word on Sophos’s website in 2002, beaten only by ‘Klez’.

Although not viral, Sophos warns that this and other hoaxes waste bandwidth, clog up mail servers and confuse users, much in the same way as bonafide viruses. Users can find out how to implement an anti-hoax policy at www.sophos.com/safecomputing/

Virus writers still playing psychological tricks
Virus writers promised glimpses of images of Britney Spears, Shakira and Bill Clinton to entice users into opening up their malicious code. However, none of these worms made a significant impact, indicating that users are becoming wise to these psychological tricks.

Linux worm highlights that vulnerabilities are not just a Microsoft problem The Slapper worm, first detected in September, exploited a well-known vulnerability in the Linux operating system, which enabled the viral code to spread by network shares. The fact that this worm successfully spread indicates that some Linux users have neglected to patch their systems against publicised vulnerabilities.

Mobile viruses refuse to surface Despite the hype, some of it from anti-virus vendors, no viruses appeared in 2002 which attacked PDAs or mobile phones.

C# ‘proof of concept’ worm
In March, the Sharp-A worm, the first virus to be written in Microsoft’s latest programming language C#, was sent directly to the anti-virus industry as a ‘proof of concept’ that it was possible to write malware in this language. This virus was written by the virus writer Gigabyte, who is believed to be female.

New instant messaging worm
Although Windows 32 viruses dominated the 2002 chart, the CoolNow worm – which propagates via instant messaging platform – is a reminder that not all viruses arrive via email. Users relying on just email anti-virus scanning solutions will not be protected against all known malware.

Predictions for 2003:
Sophos predicts that virus writers will persist in distributing Windows 32 viruses as these mass-mailers have the greatest, most widespread impact. These viruses are likely to use sender forging techniques to increase confusion among computer users.

For more targeted attacks, Sophos also expects a rise in the number of Backdoor Trojans, which open up holes in operating systems enabling hackers to implant Remote Access Tools (RATs). These RATs enable hackers to take remote control of the infected PC. It is alleged that Gary McKinnon, the man accused of hacking into US Government networks, implanted RATs in order to capture passwords and confidential information.

Regarding anti-virus protection, Sophos predicts that more businesses will implement perimeter technology that blocks certain dangerous file types that can carry malware (for example .EXE files) at their email gateways.

About Sophos:
Sophos is one of the world’s largest specialist developers of anti-virus software. Headquartered in the UK, its products are sold and supported through a global network of subsidiaries and partners in more than 150 countries. Sophos solutions are specifically designed to protect businesses and organisations from virus attack. The company’s products are widely deployed by large corporations, banks and governments. For further information, please visit www.sophos.com