Windows 32 viruses rule the waves

July 01, 2002 Sophos Press Release

Sophos issues summary of virus activity for last six months

Sophos, a world leader in corporate anti-virus protection, has announced that it has detected and protected against 3,279 new viruses in the first six months of 2002. During this period, the single most prevalent virus was Klez-H, which was first reported in March 2002. All ten of the most prolific viruses in January to June 2002 were mass mailing Windows 32 viruses.

"What we see here is a clean sweep for Windows 32 viruses, taking every position of the top 10 chart," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "The days when Word macro and script viruses caused the most infections seem to be long gone. Worms and viruses that spread using networking functions or email clients currently dominate enquiries to our customer support."

For the first six months of 2002, the top ten viruses (as recorded by Sophos's helpdesk) are as follows, with the most frequently occurring virus at number one:

Position Malware Percentage of reports
1W32/Klez-H
   29.4%
2W32/Badtrans-B
   23.5%
3W32/ElKern-C
   6.3%
4W32/Magistr-B
   4.0%
5W32/MyParty-A
   3.7%
6W32/Klez-E
   3.0%
7W32/Sircam-A
   2.8%
8W32/Magistr-A
   2.0%
9W32/FBound-C
   1.8%
10W32/Nimda-A
   1.1%
Others22.4%

"As expected, Klez-H tops the chart. Klez-H is a sobering reminder that viruses continue to present a serious threat, and that it is vital enterprises follow safe computing practices and keep anti-virus protection updated," continued Cluley. "However, Klez-H wasn't the only big hitter. Badtrans-B, Magistr, Nimda and Sircam, which were all released during 2001, were an ugly hangover for many users well into this year."

In runner-up position is Badtrans-B. First seen in November 2001, this worm drops a password stealing Trojan Horse onto the infected user's computer. However, this virus is easy for the wary to spot as it arrives as a file attachment with a double extension. Sophos advises that, as well as keeping protection up to date, enterprises block these file types at the email gateway. Companies introducing this policy after the Love Bug would not only have avoided infection from Badtrans-B, but also Anna Kournikova, Sircam and many other recent viruses.

At number three in the chart is the ElKern-C. Piggybacking on Klez-H, this worm is able to disarm anti-virus scanners. Those users protected against Klez-H have nothing to fear from this worm.

Two variants of the Magistr worm still make the chart, even though they were released as far back as May and September 2001. The continued success of Magistr lies in its ability to randomly generate a new subject line and text each time it propagates - this makes it harder to spot. Computer users who regularly update their protection should avoid infection.

Other developments in the first six months of 2002 included:

  • The Bound worm, which was the ninth most reported worm in this period, was unusual for its capability to communicate in either English or Japanese. This characteristic made it easier for the worm to cross international boundaries without arousing suspicion.
  • Virus hoaxes continued to cause panic with threats of the JDBGMGR 'virus' circulating in numerous languages. Sophos urges computer users to double-check whether a virus warning is genuine or not by visiting a recognised anti-virus website for confirmation.
  • In May David L Smith, the author of the Melissa virus was sentenced to 20 months in prison and a $5000 fine by the US courts.
  • Two new proof of concept viruses have emerged during 2002. Sharp-A, the first worm written in C#, Microsoft's newest programming language, was detected in March. Perrun-A, the first virus capable of infecting JPEG graphics files, was first seen in June. Neither Sharp-A nor Perrun-A are circulating in the wild and as such represent no threat to computer users.
  • Britney Spears, Bill Clinton and Shakira all joined the growing list of celebrities whose names and images have been used to dupe unsuspecting users into opening up malicious code.

Graphics of the above Top Ten chart are available here.

More information about safe computing, including anti-hoax policies.