Right now, someone, somewhere is writing code for a virus. Fuelled by their predecessors' creations, and assisted by online -virus tool kits" and limited only by their imagination, virus writers from Ireland to Israel present an increasing menace to a world increasingly reliant on Internet-based communications.

And although the threat they pose has been a latent concern for well over a decade, experts are now warning that a massive viral outbreak has the potential to seriously compromise the very backbone of such communication.

Within five days of its first appearance on July 12 this year, the Code Red worm had infected over 359,000 servers, causing a traffic jam severe enough to register a -orange alert" at the SANS (System Administration, Networking, and Security) Institute web site, which is one step away from what the institute describes as -Internet failure".

Code Red recruited unprotected Microsoft Internet Information Servers (IIS) as unwitting -zombie" crusaders in a denial of service attack on the Whitehouse, and reached an infection rate of 2000 servers a minute.

Finding themselves inundated with malicious junk mail, systems administrators at the US President's pad were left with no alternative but to change IP addresses, essentially dumping all communications, Code Red-generated or otherwise. Across the world, hundreds of thousands of servers were rebooted in an attempt to eradicate the RAM-based bug, and by July 20 active viruses deactivated themselves via a built-in kill pill.

However, Code Red did more than overload Whitehouse communications. In a disturbing twist it also paved the way for second round of attacks by what most anti-virus software vendors describe as this year's most prevalent virus; Nimda.

Appearing in mid September, Nimda exploited a range of invasion techniques including infecting Microsoft IIS servers weakened by the initial Code Red attack.

Spreading through more mass mailouts, where users were not even required to activate the attachment to launch the virus in order for it to take effect, it also modified files found on Web servers, resulting in an infected file called readme.eml being automatically downloaded to unsuspecting Web site visitors.

In an apparent tribute to the back door left by Code Red, Nimda goes on to open additional security holes, weakening IIS servers in the face of future bugs, signalling the weakness to would-be crackers.

Paul Duckman, head of global support for anti-virus vendor Sophos, said that while the most destructive virus of 2001 was most probably Sircam, for its tendency to find and e-mail possibly confidential information, Nimda was the most prevalent.

-One of the things Code Red did was to exploit faults in Microsoft's IIS software, and leave another back door in its wake," Duckman said. -Nimda then exploited this back door, and left behind some of its own."

As this Code Red/Nimda tag race tore through servers through out the world, virus experts were confronted with a new level of threat in which viruses were not only more sophisticated in terms of the way they spread, but virus writers were becoming increasingly sophisticated in terms of the way they played off each other's technology.

-We are seeing more cocktail viruses," said Allan Bell, senior marketing manager for anti-virus software vendor NAI. -Not only do they pose a combination of threats, they also use a combination of techniques to spread." Eternal vigilance?

As the holiday season swings into gear, industry pundits such as NAI's Allan Bell warn of an increased risk of infection.

-Not only are there more people with less experience using the Web and e-mail," Bell said. -Many system administrators are on holiday, and their replacements may not be as aware of the potential threats."

However, the increasing affordability and subsequent popularity of so-called -always on" connections have experts worried about potential infection rates.

-Suddenly the integrity of the software running a computer, and the level of security provided to a system, becomes significantly more important with things like ADSL and cable," explains Sophos' Duckman. -Unless we start to see a greater awareness of the risks associated with these types of connections, we could be waking up to a catastrophe."

Duckman believes operating system vendors and other software manufacturers will need to take more responsibility for disseminating information regarding flaws in their systems. He cites the case of January 2000's Kakworm, a VBS virus which exploited a vulnerability in Microsoft's Internet Explorer software.

-Microsoft openly published a fix for the vulnerability, but still people were being effected 12 and 13 months later," Duckman said.

Software vendors, however, cannot be held wholly responsible for virus outbreaks, he argues.

-The guys at fault at the end of the day are the virus writers, these are the ones intending to do damage," Duckman said. -Software vendors need to be aware of the risks, and do all they can to inform their customers, however they cannot be blamed for an outbreak."

Over the next 12 months, one link in the viral chain that will increasingly come to the fore in terms of virus prevention is the role played by ISPs.

Paul Henry, vice-president of US-based anti-virus software vendor Cyberguard believes ISPs will play an increasingly important role in containing and combating virus outbreaks, although he believes litigation will provide the initial impetus for a e-mail filtering and similar services.

-ISPs may well find themselves held accountable for damage caused by viruses, especially if they have been shown to be lacking in terms of their service to clients," Henry said. -They also have a key role to play in tracking down the initial outbreaks, and providing evidence to prosecute people who are contributing to the problem."

It would seem that market forces are already coming into play, as some ISPs begin to offer such services. Iain McKimm, director of operations at ISP Pacific Internet, says the company has taken steps to integrate virus protection into its service.

-Viruses could have a lot less impact if it were possible to stop them before they even infect a company's system, or home PC," McKimm said. -Having the ISP scanning for viruses and worms will ultimately lessen the impact."

However, Duckman warns of excessive reliance on ISP-based security.

-It is a bit like driving a car: you might have the best harness and the fastest air bags in the world," Duckman said. -But there is no substitute for safe driving, and the same goes for careful Internet use." Who's to blame?

Melissa will go down in history as the virus that changed the way we look at e-mail. No longer do we trustingly double click on attachments looking for a bit of a laugh; no longer do we allow months to pass before seeking an update for our anti-virus software.

Goner, the most recent mass mailer outbreak was proof of this.

-Goner had the potential to be as big as Melissa," said Sophos' Paul Duckman. -But it looks like all that education is finally paying off. I guess it means we have won one battle, but we certainly haven't won the war."

Interestingly, Goner will also prove to be a test of legal responses to virus writers, with four young Israelis confessing to their role in the creation of and unleashing of the virus in early December. While the four high school students aged 15 and 16 will probably escape a harsh sentence, given their age, the case will nonetheless provide an interesting test bed for courts all over the world.

Globetrotting evangelist for beefed up responses to Internet security, Cyberguard's Henry, believes there are still too many countries without proper legal responses to virus writing.

-There have been significant improvements in terms of laws governing the creation and spread of such viruses," Henry said. -However, we also need to lessen the impact of these things."

Henry also pulls no punches when it comes to assigning blame for viral outbreaks, saying that there is no excuse for an organisation to allow itself to be impacted by virus outbreaks, or hack attacks.

-Eventually we will have the power to track these people down and shut them right out of the Internet. I don't care if you represent an orphanage," Henry says. -If you are spreading viruses by not properly protecting your IT infrastructure you are to blame, and eventually you will be subject to litigation and legal proceedings."

If Henry's predictions prove to be true, companies and organisation found not to have properly protected their IT infrastructure, will in the short term be subject to litigation on behalf of the companies affected by the viruses.

However, in the longer term he believes harsh penalties for providing insufficient security will effectively force companies to protect themselves.

This may have repercussions in the anti-virus software industry, as Henry also predicts a weakening of the licence agreements that protect the vendors from litigation if a product fails to perform.

-We are currently facing a situation where most firewalls provide inadequate protection, yet the vendors are in no way accountable for security breaches resulting from such inadequacies," Henry said. How sick are you? A guide to the top ten viruses of 2001

While we are all apparently getting better at responding to viral outbreaks, virus writers are getting increasingly sophisticated when it comes to creating devious ways around security systems, anti-virus software, work practices and firewalls.

Anti-virus experts are also quick to point out that there is a difference between a prevalent virus and a destructive virus. As Sopho's Paul Duckman explains.

-The extent of the damage caused by a virus really comes down to who gets it and what they use their computer for," Duckman said. -The Chernobyl virus basically totally overrode the motherboard on a system, leaving home users and small business in the dark as to what happened as their PC simply died, whereas something like Sircam wreaked havoc at the corporate level with institutions like the FBI left compromised because it managed to send out the confidential information."

Similarly NAI's Allan Bell points out that viruses which have the most impact are not necessarily the most widespread, or even widely recognised.

-Now that we are seeing viruses work in tandem we have to be even more careful of rapidly spreading viruses that apparently do not contain malicious code," Bell said. -They may be followed by more opportunistic viruses."

The following list reveals the ten viruses which provoked the most requests for help from users, according to antivirus software vendor Sophos, and also provides some indication of the cultural diversity, and odd sense of humour displayed by virus writers.

Kournikova is a case in point. This Visual Basic Script worm refers to a Russian tennis player, or an Argentine football team, and celebrates Australia's national day by sending infected users to a computer reseller in the Netherlands.

Hybris, on the other hand, tells the story of the seven dwarfs in three different languages, then marks September 24, a day culturally significant to New Zealanders, by filling the infected users screen with a psychodelic graphic.

Then there's the deeply destructive Sircam which attributes its origins to Michoacan, a region of Mexico better known for its ice creams.

Top 10 Viruses 2001, 1-5

W32/Nimda

Infection:
Spreads through e-mail, network shares and Web sites. The virus exploits a vulnerability in some Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. The virus forwards itself to other e-mail addresses found on the computer.

It also targets IIS Web servers and attempts to alter the contents of pages with common filenames. It then installs malicious Javascript aimed at infecting unweary web surfers.

Effects:
Affects Windows 95/98/Me operating systems as well as Windows NT and 2000. Copies "hidden" files into the Windows' directory. Alters the System.ini file, so that it executes on Windows startup. Nimda also tries to open create security holes, giving admin powers to a "guest" user.

Cure*:
Conduct a full security audit, replace all modified files, seek out holes left in the server, and possible entry points caused previously by a Code Red infection.

W32/Sircam-A

Infection:
W32/Sircam-A spreads via e-mail and opens network shares. The worm arrives in an e-mail with a random subject which is identical to the attached filename.

The attachment can be identified by its double-barrelled extension (ie, doc.com, mpg.pif).Sircam then sends e-mail messages to addresses from the Windows address book and the temporary Internet folder.

Effects:
Sircam searches through the hard drive and mails out potentially sensitive files to addresses in the windows address book.

Causes a denial of service by spontaneously filling the hard disk with junk files or massively propagating itself through e-mail.

Infected machines may also lose data contained on the same drive as Windows on October 16.

Cure*:
Be wary of unusual attachments, maintain an automatically updated anti-virus protection, and adjust the system firewall so that it filters out known malicious code, suspect subject lines and if possible, e-mail attachments.

W32/Magistr

Infection:
Spreads by infecting files and via e-mail. Magistr seeks addresses from searches the user's address book, mailboxes and other files present on the computer for e-mail addresses.

The virus specifically targets addresses from Outlook Express, Netscape Navigator and Internet Mail and News. It then sends itself to these e-mail addresses using its own SMTP client.

Effects:
Magistr has appeared in different versions. Magistr_A includes highly destructive code which - if triggered - can delete all files from local and network drives, wipe the CMOS settings, and flash the BIOS chip of your computer.

Magistr_B, like Sircam includes information from files contained on the infected computer in the e-mails it sends out, and also installs an INI file which runs when the computer restarts, filling the boot sector of the disk with abusive junk data.

Cure*:
Update all anti-virus software, scan system for potentially infected files. As Magistr affects files necessary for the functioning of the system, all files must be restored from backup copies (especially system files such as Ntldr.exe and Win.com.).

W32/Hybris

Infection:
Spreads via e-mail messages and newsgroup postings, specifically targeting Windows machines.

The Hybris worm sends out an e-mail to anyone contacted by the infected user via e-mail, thus infecting other computers.

Effects:
While the Hybris Worm does not appear to contain a destructive payload, the virus can be upgraded via the Web.

The Hybris worm may also degrade service on sites by using open mail relays to send mail to arbitrary third parties.

Cure*:
Update anti-virus software, exercise caution when opening attachments and review their mail server configuration.

W32/Apology

Infection:
Spread via e-mail, often with a tell-tale double-barrel extension. The malicious attachment comes with a series of names which play on psychological needs.

Spread via e-mail W32/Apology-B also infects files and demonstrates backdoor characteristics.

Effects:
W32/Apology-B creates three hidden files in the windows directory: IE_Pack.exe, which modifies wsoc32.dll, Win32.dll which contains code for all components of the virus and MTX_.exe which contains the backdoor component.

MTX_.exe also attempts to connect to a Web site in search of further files. W32/Apology-B also blocks access to some of the most popular anti-virus software vendor Web sites.

Cure*:
If possible boot the computer from a clean boot disk, or restart in DOS mode, and "sweep" through the system.

* For a full description of the technology behind the viruses and an explanation of how to remove contagions see the Sophos or Symantec Web sites.

Top 10 Viruses 2001, 6-10

VBS/VBSWG-X

Infection:
Spreads via e-mail, and infects new computers by spreading itself to all the addresses in Windows Outlook.

Effects:
Apart from e-mailing itself on , The VBS/VBSWG-X worm opens up porn sites on the infected users' default browser.

It also saves itself in the temporary directory as homepage.HTML.vbs.

Cure*:
Conduct a security audit and delete all infected files. As always, exercise caution when opening attachments.

VBS/Kakworm

Infection:
Taking advantage of a vulnerability in Outlook Express and Internet Explorer newsgroup reader, Kakworm spreads via the "signature" of outgoing messages.

Effects:
Kakworm is particularly insidious because it creates a viral hole without being run as an attachment.

Cure*:
Microsoft provides a patch for the hole at via its Web site . The patch will prevent the worm from activating automatically.

VBS/SST-A (aka Kournikova)

Infection:
Typically taking advantage of testosterone-charged males, this visual basic e-mail worm also disguised itself with the pseudonym Calamar - in reference to an Argentine soccer team, or Kournikova in reference to a Russian tennis player, thus enticing recipients to run the attachment. The worm then propagates through Microsoft's Outlook e-mail program.

Described as "highly polymorphic" the virus also changes its signature to hide itself from antivirus software.

Effects:
Apart from copying itself to the infected users Windows directory, and sending copies off to other users, this worm creates an entry called HKCU\software\OnTheFly.

As an added bonus the worm the worm commemorated Australia day by sending the infected user to a site to a computer reseller site in the Netherlands.

Cure*:
The attachment can be spotted via a double-barrelled code. The virus can be spotted via its subject lines - making it easy for network administrators to filter out, however, it also recently updated anti-virus software is the safest option.

W32/Badtrans

Infection:
Piggybacking Microsoft's MAPI (Messaging Application Program Interface), this password stealing worm spreads via e-mail with the message "take a look at this attachment".

Once installed on the infected users windows directory, the virus replies to all incoming e-mail with an infectious attachment.

Effects:
The message "File data corrupt probably due to bad data transmission or bad disk access", displays when the attachment is run, as the virus copies itself onto the Windows directory, and modified win.ini so that it runs when the computer next starts up.

Multifunctional to say the least, BadTrans also leaves behind a password-stealing Trojan, which runs when the computer is next started up.

Cure*:
This worm can be removed using a tool provided by major anti-virus software vendors such as Symantec. However, the tool does not work for all versions of the virus.

W32/Navidad

Infection:
Released just in time for Christmas last year, Navidad is a mass mailer which also takes advantage of Microsoft's MAPI functionality to reply to incoming e-mails, using the existing subject line and simply attaching Navidad.exe.

Effects:
Potentially highly destructive, the momolingual Navidad virus was most strongly felt in Spanish speaking countries.

Once executed it flashes up a button with the message "never press this button" in Spanish, once pressed the infected user is wished a "Happy Christmas" and "unfortunately you have fallen into temptation and lost your computer".

The worm then proceeds to copy a series of files into the Window's system folder making the system unstable and in some cases difficult to restart.

Cure*:
Sophos has written a batch file, with which W32/Navidad and W32/Navidad-B can be removed. Infected users should run the batch file, reboot, then run it again.

* For a full description of the technology behind the viruses and an explanation of how to remove contagions see the Sophos or Symantec Web sites.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.