Sophos publishes report of virus activity for first six months
of the year
A report published by Sophos, a world leader in anti-virus
protection for businesses, reveals that the number of new viruses
being written is increasing. In total, Sophos has detected and
protected against 3,855 new viruses in the first six months of
2003, up 17.5% on the same period last year.
Since January 2003, the single most prevalent virus was the
Bugbear-B worm, accounting for almost 12% of reports to Sophos. The
worm tops the chart even though it was first seen just a few weeks
ago, in early June. Its older sibling, Bugbear-A, generated a
further 2.5% of enquiries.
For the first six months of 2003, the top ten viruses (as
recorded by Sophos's technical support department) are as follows,
with the most frequently occurring virus at number one:
"Bugbear-B entered the frame late, but nevertheless it has
generated more enquiries than any other virus in the last six
months," said Graham Cluley, senior technology consultant, Sophos
Anti-Virus. "By morphing its contents every time it forwards itself
- and by spoofing the email address of the person who sent the
virus - Bugbear-B has been the most prevalent and irritating virus
so far this year."
Generating almost 10% of enquiries was the Sobig-C worm. This
worm, which posed as a support email from Microsoft's Bill Gates,
reached number two in the charts, even though it had a limited
window for infection - it was programmed to fall dormant just one
week after it was released. In all, five Sobig worms have been
released this year, with variants A and B also appearing in the
chart. Combined, the short-lived Sobig worms have had the biggest
impact on business networks this year.
In contrast to these temporary threats is Klez-H. Even though
this worm was first seen in March 2002, it is still the third most
reported worm in 2003.
Other developments in 2003 so far include:
- The number of new viruses was 17.5% higher than for the same
period last year, suggesting that virus writers are unperturbed by
January's conviction of Simon Vallor, author of three mass-mailing
worms. Vallor received a two-year jail sentence from UK courts in
- Eight of the viruses in the top ten are able to spread by more
than one method - using a combination of email, IRC (internet relay
chat), network shares and/or P2P file sharing platforms. Virus
writers are no longer relying on just email to propagate their
malicious code, so computer users are advised to deploy desktop
anti-virus protection, which can detect malicious code regardless
of its method of spreading.
- January's Slammer worm was the biggest internet worm of the
period, targeting a six month old vulnerability in Microsoft SQL
servers in order to spread. Sections of the internet slowed
substantially, and some ATM machines in the US were affected.
Sophos reminds users to install patches from software vendors as
soon as they are issued.
- Avril Lavigne is virus celebrity of the year so far, with the
two Avril worms accounting for 5.5% of virus reports. The Igloo
worm - which claimed to carry unauthorised photos of Catherine
Zeta-Jones, Shakira, Sarah Michelle Gellar and Sandra Bullock -
failed to chart.
- Some viruses used topical news stories and current events in an
attempt to spread. For instance, the Coronex worm disguised itself
as information about the SARS biological virus, and the Ganda worm
posed as secret spy photographs of the war in Iraq. Neither of
these worms caused widespread infections.
- In May, The University of Calgary, Canada, announced that it
was offering its students a course in malicious virus-writing. The
anti-virus community was united in its condemnation of this course,
pointing out that it is not necessary to write new viruses to
understand how they work and how they can be prevented.
Hoaxes since January 2003
Virus hoaxes continued to cause confusion, particularly the
JDBGMGR 'virus' which is circulating in numerous languages. Sophos
urges computer users to double-check whether a virus warning is
genuine or not by visiting a recognised anti-virus website for
The top ten hoaxes reported to Sophos during this six month
period are as follows: