Top 10 Viruses 2001, 1-5
What follows is a listing of the ten virus most reported to Sophos globally over the past 12 months. The more you know, the more you wonder what motivates virus writers.
W32/Nimda
Rank: 1Discovered: Sept 18, 2001
% of reports: 27.2 percent
Infection:
Spreads through e-mail, network shares and Web sites. The virus exploits a vulnerability in some Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer. The virus forwards itself to other e-mail addresses found on the computer.
It also targets IIS Web servers and attempts to alter the contents of pages with common filenames. It then installs malicious Javascript aimed at infecting unweary web surfers.
Effects:
Affects Windows 95/98/Me operating systems as well as Windows NT and 2000. Copies "hidden" files into the Windows' directory. Alters the System.ini file, so that it executes on Windows startup. Nimda also tries to open create security holes, giving admin powers to a "guest" user.
Cure*:
Conduct a full security audit, replace all modified files, seek out holes left in the server, and possible entry points caused previously by a Code Red infection.
W32/Sircam-A
Rank: 2Discovered: 25 July 2001
% of reports: 20.3 percent
Infection:
W32/Sircam-A spreads via e-mail and opens network shares. The worm arrives in an e-mail with a random subject which is identical to the attached filename.
The attachment can be identified by its double-barrelled extension (ie, doc.com, mpg.pif).Sircam then sends e-mail messages to addresses from the Windows address book and the temporary Internet folder.
Effects:
Sircam searches through the hard drive and mails out potentially sensitive files to addresses in the windows address book.
Causes a denial of service by spontaneously filling the hard disk with junk files or massively propagating itself through e-mail.
Infected machines may also lose data contained on the same drive as Windows on October 16.
Cure*:
Be wary of unusual attachments, maintain an automatically updated anti-virus protection, and adjust the system firewall so that it filters out known malicious code, suspect subject lines and if possible, e-mail attachments.
W32/Magistr
Rank: 3Discovered: 3 Sept 2001
% of reports: 12.0 percent
Infection:
Spreads by infecting files and via e-mail. Magistr seeks addresses from searches the user's address book, mailboxes and other files present on the computer for e-mail addresses.
The virus specifically targets addresses from Outlook Express, Netscape Navigator and Internet Mail and News. It then sends itself to these e-mail addresses using its own SMTP client.
Effects:
Magistr has appeared in different versions. Magistr_A includes highly destructive code which - if triggered - can delete all files from local and network drives, wipe the CMOS settings, and flash the BIOS chip of your computer.
Magistr_B, like Sircam includes information from files contained on the infected computer in the e-mails it sends out, and also installs an INI file which runs when the computer restarts, filling the boot sector of the disk with abusive junk data.
Cure*:
Update all anti-virus software, scan system for potentially infected files. As Magistr affects files necessary for the functioning of the system, all files must be restored from backup copies (especially system files such as Ntldr.exe and Win.com.).
W32/Hybris
Rank: 4Discovered: 4 March 2001
% of reports: 6.2 percent
Infection:
Spreads via e-mail messages and newsgroup postings, specifically targeting Windows machines.
The Hybris worm sends out an e-mail to anyone contacted by the infected user via e-mail, thus infecting other computers.
Effects:
While the Hybris Worm does not appear to contain a destructive payload, the virus can be upgraded via the Web.
The Hybris worm may also degrade service on sites by using open mail relays to send mail to arbitrary third parties.
Cure*:
Update anti-virus software, exercise caution when opening attachments and review their mail server configuration.
W32/Apology
Rank: 5Discovered: 8 October 2000
% of reports: 3.8 percent
Infection:
Spread via e-mail, often with a tell-tale double-barrel extension.
The malicious attachment comes with a series of names which play on psychological needs.
Spread via e-mail W32/Apology-B also infects files and demonstrates backdoor characteristics.
Effects:
W32/Apology-B creates three hidden files in the windows directory: IE_Pack.exe, which modifies wsoc32.dll, Win32.dll which contains code for all components of the virus and MTX_.exe which contains the backdoor component.
MTX_.exe also attempts to connect to a Web site in search of further files. W32/Apology-B also blocks access to some of the most popular anti-virus software vendor Web sites.
Cure*:
If possible boot the computer from a clean boot disk, or restart in DOS mode, and "sweep" through the system.
* For a full description of the technology behind the viruses and an explanation of how to remove contagions see the Sophos or Symantec Web sites.
It's sad that people focus their efforts on producing code that damages rather than actually putting their skill to work in a constructive manner. Does writing a virus that destroys a strangers work or crashes an IRC server really prove talent, ability or maturity.... or is it the technological equivalent of scrawling your name on the side of a train.
It's putting the onus on to users to spend time and money on antivirus tools, and rely on the antivirus vendors to keep one step ahead (one of the better products at that from www.nod32.com.au) and implement firewalls (such as from www.tinysoftware.com) and other security / anti-intrusion mechanisms.
Outlook and IIS often have the finger pointed at them as exasperating the problems, but Linux servers are just as vulnerable. The press 'slamming' of MS is often seen as legitimising the anti-social activities targeting the Win32 platforms.
The problem is, as the counter-measures get better the virus code will have to become more efficient, effective and stealthy... and to get the attention the juvenile writers desire the results of a successful infection will have to be 'bigger and better'
The worst may well be yet to come, but there's a lot of things that responsible sysadmins, ISPs, AntiVirus vendors, and the press can do to reduce the hysteria spinning, ego-pandering attention that is generated with each new virus