Windows 32 viruses take clean sweep of 2002 virus chart
Sophos, a world leader in corporate anti-virus protection, has
revealed that the Klez worm has accounted for
almost a quarter of reports to Sophos's customer support department
during 2002. Klez topped Sophos's monthly chart for seven months in
succession this year - officially making it 2002's most prolific
virus. The second most common virus was the Bugbear worm, which
makes the number two slot even though it was only detected in
October 2002. In third place comes Badtrans, the password
stealing worm which was first detected in November 2001.
Nine of the viruses in the 2002 top ten are mass mailing Windows
32 viruses, the exception being the ElKern virus which is
dropped by Klez. 87% of all reports of infections during 2002
concerned Windows 32 viruses.
Sophos has detected 7,189 new viruses, worms and Trojan horses
to date this year, bringing the total protected against to more
than 78,000. On average, the Sophos virus labs produce detection
routines for more than 25 new viruses each day.
The top ten figures for the year, as recorded by Sophos's
customer support department, are as follows with the most
frequently occurring virus at number one:
"Unlike previous chart toppers like the LoveBug, which
disappeared almost as quickly as it arrived, Klez is the ultimate
in slowburning worms. It has managed to consistently infect users
throughout the year," said Graham Cluley, senior technology
consultant at Sophos Anti-Virus. "Protection against Klez has been
available for as long as the worm has been circulation. The only
possible explanation for its continued 'success' is that some users
are habitually neglecting to update their anti-virus software."
Other developments in 2002
Worms adopt 'sender forging' technique
High profile Windows 32 viruses such as the Klez and Yaha worms substituted the
email address of the real sender of the worm with that of an
alternative but legitimate email address. This has lead to a flurry
of accusations that innocent computer users have sent the worms to
customers, suppliers and colleagues. In some cases, Mac users have
been blamed of sending the Klez worm, even though it is impossible
for their Macs to be infected. This has caused embarrassment to
some managed email security companies that have been falsely
accusing users of forwarding viral code.
The law cracks down on cybercriminals
In May, David L.
Smith, author of the Melissa worm which was
the inspiration for many subsequent email-aware worms, was
sentenced in the US to a 20-month custodial sentence and fines
In the UK, the 'Surbiton
hacker' (who has yet to be named) was arrested for authoring a
Linux hacking tool following a joint investigation by Scotland Yard
and the FBI. Llandudno resident Simon Vallor was also
arrested and charged with writing and distributing three
mass-mailer worms, including the Gokar worm. He is due to
appear in court in December 2002. Finally, the US Government is
currently seeking the extradition of Gary McKinnon of London, who it
accuses of hacking into confidential Government and military
Hoaxes cause confusion
The JDBGMGR virus
hoax - an email duping users into deleting a legitimate file from
their PCs - was first spotted in April 2002 and has topped Sophos's
hoax chart every month since May. Indeed, 'JDBGMGR' was the second
most searched word on Sophos's website in 2002, beaten only by
Although not viral, Sophos warns that this and other hoaxes
waste bandwidth, clog up mail servers and confuse users, much in
the same way as bonafide viruses. Find
out how to implement an anti-hoax policy.
Virus writers still playing psychological tricks
Virus writers promised glimpses of images of Britney Spears, Shakira and Bill Clinton to entice
users into opening up their malicious code. However, none of these
worms made a significant impact, indicating that users are becoming
wise to these psychological tricks.
Linux worm highlights that vulnerabilities are not just a
worm, first detected in September, exploited a well-known
vulnerability in the Linux operating system, which enabled the
viral code to spread by network shares. The fact that this worm
successfully spread indicates that some Linux users have neglected
to patch their systems against publicised vulnerabilities.
Mobile viruses refuse to surface
Despite the hype, some of it from anti-virus vendors, no viruses
appeared in 2002 which attacked PDAs or mobile phones.
C# 'proof of concept' worm
In March, the Sharp-A worm, the first
virus to be written in Microsoft's latest programming language C#,
was sent directly to the anti-virus industry as a 'proof of
concept' that it was possible to write malware in this language.
This virus was written by the virus writer Gigabyte, who is believed to
New instant messaging worm
Although Windows 32 viruses dominated the 2002 chart, the
Coolnow worm -
which propagates via instant messaging platform - is a reminder
that not all viruses arrive via email. Users relying on just email
anti-virus scanning solutions will not be protected against all
Predictions for 2003
Sophos predicts that virus writers will persist in distributing
Windows 32 viruses as these mass-mailers have the greatest, most
widespread impact. These viruses are likely to use sender forging
techniques to increase confusion among computer users.
For more targeted attacks, Sophos also expects a rise in the
number of Backdoor Trojans, which open up holes in operating
systems enabling hackers to implant Remote Access Tools (RATs).
These RATs enable hackers to take remote control of the infected
PC. It is alleged that Gary McKinnon, the man accused of hacking
into US Government networks, implanted RATs in order to capture
passwords and confidential information.
Regarding anti-virus protection, Sophos predicts that more
businesses will implement perimeter technology that blocks certain
dangerous file types that can carry malware (for example .EXE
files) at their email gateways.