Top 10 Viruses 2001, 6-10
VBS/VBSWG-X
Rank: 6Discovered: 8 May 2001
% of reports: 3.6 percent
Infection:
Spreads via e-mail, and infects new computers by spreading itself to all the addresses in Windows Outlook.
Effects:
Apart from e-mailing itself on , The VBS/VBSWG-X worm opens up porn sites on the infected users' default browser.
It also saves itself in the temporary directory as homepage.HTML.vbs.
Cure*:
Conduct a security audit and delete all infected files.
As always, exercise caution when opening attachments.
VBS/Kakworm
Rank: 7Discovered: 22 July 2000
% of reports: 3.1 percent
Infection:
Taking advantage of a vulnerability in Outlook Express and Internet Explorer newsgroup reader, Kakworm spreads via the "signature" of outgoing messages.
Effects:
Kakworm is particularly insidious because it creates a viral hole without being run as an attachment.
Cure*:
Microsoft provides a patch for the hole at via its Web site .
The patch will prevent the worm from activating automatically.
VBS/SST-A (aka Kournikova)
Rank: 8Discovered: 11 February 2001
% of reports: 2.0 percent
Infection:
Typically taking advantage of testosterone-charged males, this visual basic e-mail worm also disguised itself with the pseudonym Calamar - in reference to an Argentine soccer team, or Kournikova in reference to a Russian tennis player, thus enticing recipients to run the attachment. The worm then propagates through Microsoft's Outlook e-mail program.
Described as "highly polymorphic" the virus also changes its signature to hide itself from antivirus software.
Effects:
Apart from copying itself to the infected users Windows directory, and sending copies off to other users, this worm creates an entry called HKCU\software\OnTheFly.
As an added bonus the worm the worm commemorated Australia day by sending the infected user to a site to a computer reseller site in the Netherlands.
Cure*:
The attachment can be spotted via a double-barrelled code. The virus can be spotted via its subject lines - making it easy for network administrators to filter out, however, it also recently updated anti-virus software is the safest option.
W32/Badtrans
Rank: 9Discovered: 24 Nov 2001
% of reports: 1.8 percent
Infection:
Piggybacking Microsoft's MAPI (Messaging Application Program Interface), this password stealing worm spreads via e-mail with the message "take a look at this attachment".
Once installed on the infected users windows directory, the virus replies to all incoming e-mail with an infectious attachment.
Effects:
The message "File data corrupt probably due to bad data transmission or bad disk access", displays when the attachment is run, as the virus copies itself onto the Windows directory, and modified win.ini so that it runs when the computer next starts up.
Multifunctional to say the least, BadTrans also leaves behind a password-stealing Trojan, which runs when the computer is next started up.
Cure*:
This worm can be removed using a tool provided by major anti-virus software vendors such as Symantec. However, the tool does not work for all versions of the virus.
W32/Navidad
Rank: 10Discovered: 3 Nov 2000
% of reports: 1.8 percent
Infection:
Released just in time for Christmas last year, Navidad is a mass mailer which also takes advantage of Microsoft's MAPI functionality to reply to incoming e-mails, using the existing subject line and simply attaching Navidad.exe.
Effects:
Potentially highly destructive, the momolingual Navidad virus was most strongly felt in Spanish speaking countries.
Once executed it flashes up a button with the message "never press this button" in Spanish, once pressed the infected user is wished a "Happy Christmas" and "unfortunately you have fallen into temptation and lost your computer".
The worm then proceeds to copy a series of files into the Window's system folder making the system unstable and in some cases difficult to restart.
Cure*:
Sophos has written a batch file, with which W32/Navidad and W32/Navidad-B can be removed. Infected users should run the batch file,
reboot, then run it again.
* For a full description of the technology behind the viruses and an explanation of how to remove contagions see the Sophos or Symantec Web sites.
It's sad that people focus their efforts on producing code that damages rather than actually putting their skill to work in a constructive manner. Does writing a virus that destroys a strangers work or crashes an IRC server really prove talent, ability or maturity.... or is it the technological equivalent of scrawling your name on the side of a train.
It's putting the onus on to users to spend time and money on antivirus tools, and rely on the antivirus vendors to keep one step ahead (one of the better products at that from www.nod32.com.au) and implement firewalls (such as from www.tinysoftware.com) and other security / anti-intrusion mechanisms.
Outlook and IIS often have the finger pointed at them as exasperating the problems, but Linux servers are just as vulnerable. The press 'slamming' of MS is often seen as legitimising the anti-social activities targeting the Win32 platforms.
The problem is, as the counter-measures get better the virus code will have to become more efficient, effective and stealthy... and to get the attention the juvenile writers desire the results of a successful infection will have to be 'bigger and better'
The worst may well be yet to come, but there's a lot of things that responsible sysadmins, ISPs, AntiVirus vendors, and the press can do to reduce the hysteria spinning, ego-pandering attention that is generated with each new virus