Virus writing on the increase, Bugbear-B worm is major irritant of 2003

June 30, 2003 Sophos Press Release

Sophos publishes report of virus activity for first six months of the year

A report published by Sophos, a world leader in anti-virus protection for businesses, reveals that the number of new viruses being written is increasing. In total, Sophos has detected and protected against 3,855 new viruses in the first six months of 2003, up 17.5% on the same period last year.

Since January 2003, the single most prevalent virus was the Bugbear-B worm, accounting for almost 12% of reports to Sophos. The worm tops the chart even though it was first seen just a few weeks ago, in early June. Its older sibling, Bugbear-A, generated a further 2.5% of enquiries.

For the first six months of 2003, the top ten viruses (as recorded by Sophos's technical support department) are as follows, with the most frequently occurring virus at number one:

Position Malware Percentage of reports
1W32/Bugbear-B
   11.6%
2W32/Sobig-C
   9.7%
3W32/Klez-H
   8.4%
4W32/Sobig-B
   5.3%
5W32/Sobig-A
   3.3%
6W32/Avril-B
   3.2%
7W32/Bugbear-A
   2.5%
8=W32/Avril-A
   2.3%
8=W32/Fizzer-A
   2.3%
10W32/Yaha-E
   1.8%
Others49.6%

"Bugbear-B entered the frame late, but nevertheless it has generated more enquiries than any other virus in the last six months," said Graham Cluley, senior technology consultant, Sophos Anti-Virus. "By morphing its contents every time it forwards itself - and by spoofing the email address of the person who sent the virus - Bugbear-B has been the most prevalent and irritating virus so far this year."

Generating almost 10% of enquiries was the Sobig-C worm. This worm, which posed as a support email from Microsoft's Bill Gates, reached number two in the charts, even though it had a limited window for infection - it was programmed to fall dormant just one week after it was released. In all, five Sobig worms have been released this year, with variants A and B also appearing in the chart. Combined, the short-lived Sobig worms have had the biggest impact on business networks this year.

In contrast to these temporary threats is Klez-H. Even though this worm was first seen in March 2002, it is still the third most reported worm in 2003.

Other developments in 2003 so far include:

  • The number of new viruses was 17.5% higher than for the same period last year, suggesting that virus writers are unperturbed by January's conviction of Simon Vallor, author of three mass-mailing worms. Vallor received a two-year jail sentence from UK courts in January.
  • Eight of the viruses in the top ten are able to spread by more than one method - using a combination of email, IRC (internet relay chat), network shares and/or P2P file sharing platforms. Virus writers are no longer relying on just email to propagate their malicious code, so computer users are advised to deploy desktop anti-virus protection, which can detect malicious code regardless of its method of spreading.
  • January's Slammer worm was the biggest internet worm of the period, targeting a six month old vulnerability in Microsoft SQL servers in order to spread. Sections of the internet slowed substantially, and some ATM machines in the US were affected. Sophos reminds users to install patches from software vendors as soon as they are issued.
  • Avril Lavigne is virus celebrity of the year so far, with the two Avril worms accounting for 5.5% of virus reports. The Igloo worm - which claimed to carry unauthorised photos of Catherine Zeta-Jones, Shakira, Sarah Michelle Gellar and Sandra Bullock - failed to chart.
  • Some viruses used topical news stories and current events in an attempt to spread. For instance, the Coronex worm disguised itself as information about the SARS biological virus, and the Ganda worm posed as secret spy photographs of the war in Iraq. Neither of these worms caused widespread infections.
  • In May, The University of Calgary, Canada, announced that it was offering its students a course in malicious virus-writing. The anti-virus community was united in its condemnation of this course, pointing out that it is not necessary to write new viruses to understand how they work and how they can be prevented.

Hoaxes since January 2003

Virus hoaxes continued to cause confusion, particularly the JDBGMGR 'virus' which is circulating in numerous languages. Sophos urges computer users to double-check whether a virus warning is genuine or not by visiting a recognised anti-virus website for confirmation.

The top ten hoaxes reported to Sophos during this six month period are as follows:

"Hoaxes are a real nuisance, wasting time, money and bandwidth - and can help you lose face with your colleagues," said Graham Cluley, senior technology consultant for Sophos Anti-Virus. "It's disappointing to see JDBGMGR still clinging to the top of the hoax charts. It seems people are all too willing to believe anything they receive via email."

Sophos has made available a free, constantly updated information feed for intranets and websites which means users can always find out about the latest viruses and hoaxes.

Graphics of the virus top ten chart are available here.

More information about safe computing, including anti-hoax policies.

Position Hoax Percentage of reports
1JDBGMGR

 16.7%
2WTC Survivor

 14.0%
3Meninas da Playboy

 8.2%
4Hotmail hoax

 6.7%
5Budweiser frogs screensaver

 5.7%
6Bonsai kitten

 5.1%
7A virtual card for you

 4.1%
8Nokia giveaway

 2.6%
9Applebees Gift Certificate

 2.5%
10Bill Gates fortune

 2.2%
Others32.2%