Klez was still the most active malicious code in August, but its reign seems to be slowing as it's not racking...
up the numbers it did earlier in the year.
For example, U.K.-based antivirus vendor Sophos estimated Klez (G and H variants) accounted for 77.8% of support calls in April. In August, Klez only accounted for 17% but that was enough to take the top spot for the month.
Discovered early this year, variants of Klez have dominated the virus landscape ever since. The worm contains several features that make it difficult to detect, like using dozens of subject lines. It also "spoofs" e-mail addresses so it appears an infected e-mail message is coming from one person when in fact it's coming from a different system.
Klez also searches infected machines for e-mail addresses in everything from documents to cached Web pages. It then mails copies of itself out to the various addresses using its own SMTP engine.
Additionally, some variants of Klez dropped the Elkern virus, which targets executables, into systems while spreading.
"Klez-H and its nasty bedfellow ElKern-C, have accounted for almost a quarter of enquiries to Sophos' support center this month, even though protection has been available since February," said Sophos in a release. "Users getting caught out by them appear not to have updated their anti-virus software in six months."
Likewise, Command Central saw Klez accounting for 79.2% of virus activity in April but by its calculations W32/Yaha.E surpassed Klez in August. "After five months, we have finally seen a switch at the top as W32/Yaha.E surpasses Klez securing the pole position," said Steven Sundermeier product manager at Central Command, Inc.
W32/Yaha.E travels in e-mail messages with a love- or friendship-themed subject line. It can also exploit security holes in MSN Messenger and ICQ instant messaging. "Peer-2-Peer networks like ICQ and MSN Messenger in conjunction with file sharing networks like Napster and Kazaa are beginning to play a pivotal role in the distribution of this latest breed of viruses in 2002," Sundermeier said.
Below are the monthly virus numbers from different antivirus vendors (including Sophos and Command Central):
Sophos' top list of viruses for August:
1. W32/Klez-H (Klez variant) 17.0%
2. W32/Yaha-E (Yaha variant) 6.4%
2. JS/NoClose 6.4%
4. W32/Badtrans-B (Badtrans variant) 5.3%
5. W32/ElKern-C (ElKern variant) 5.1%
6. W32/Higuy-A 2.7%
7. W32/Datom-A 2.4%
8. W32/Magistr-B (Magistr variant) 2.1%
9. W32/Sircam-A 1.9%
10. W32/Nimda-D 1.6%
MessageLabs top ten malicious code for the last four weeks (through Sept. 2):
Command Central's most prevalent viruses list:
1. W32/Yaha.E 33.8%
2. Worm/Klez.E (includes G variant) 31.0%
3. Worm/W32.Sircam 8.9%
4. W32/Elkern.C 8.8%
5. W32/Magistr.B 3.1%
6. W32/Nimda 1.9%
7. W95/Hybris 1.7%
8. W32/Magistr.A 1.4%
9. W32/Funlove 1.1%
10. Worm/Badtrans.B 0.8%
11. W95/CIH 0.8%
12. W95/Spaces 0.7%
Trend Micro's top list of viruses for the last 30 days (through Sept. 2):
1. Worm Klez.H
2. PE Funlove.4099
3. PE Nimda.E
4. PE Elkern.D
5. Worm Sircam.A
6. Worm Yaha.E
7. HTML Ifrmexp.Gen
10. JS NoClose.E
Kaspersky Labs 's top 20 list of viruses and worms for August by occurrence:
1. I-Worm.Klez 76.45%
2. I-Worm.Lentin 21.66%
3. Win95.CIH 0.45%
4. Abba 0.24%
5. I-Worm.Hybris 0.10%
6. Win32.FunLove 0.07%
7. I-Worm.Sircam 0.03%
8. I-Worm.Magistr 0.01%
9. Win95.Tecata 0.01%
10. Backdoor.Antilam 0.01%
11. I-Worm.HappyTime 0.01%
12. Trojan.Win32.Filecoder 0.01%
13. Armageddon 0.01%
14. Backdoor.Arcanum 0.01%
15. Attention 0.01%
16. I-Worm.BadtransII 0.01%
17. Backdoor.Cabrotor 0.01%
18. Trojan.PSW.Stealth 0.01%
19. Backdoor.Death 0.01%
20. Trojan.JS.Seeker 0.01%
Dig Deeper on Windows Security: Alerts, Updates and Best Practices