The Bugbear and Klez worms continued to spread via the Internet and network shares in November, fending off newcomer Braid worm as the top threats of the month, according to several antivirus software vendors.
Bugbear burst on the virus scene in October to become the biggest viral threat of the second half of the year. The worm opens a backdoor in infected systems and installs a keystroke-logging program. The program can harvest passwords and other sensitive information with this program. Bugbear also attacks antivirus and firewall software.
The Braid (or Bride) worm surfaced in November. The worm is a mass-mailer that injects the FunLove virus when infecting a system. FunLove, however, hampered Braid's progress because the presence of FunLove alerts antivirus software. Braid exploits the same MIME header vulnerability as Klez and Bugbear, that allows it to execute without recipients needing to double-click the attachment.
Klez is still king for the year. Variants of the worm have been spreading since April. It has succeeded for a number of reasons. It generates random subject lines and file names, keeping users from looking for a particular subject line. The worm also searches infected machines for e-mail addresses in everything from documents to cached Web pages. It then sends out copies of itself using its own SMTP engine. One infected machine can literally pump out hundreds of infected messages.
Here are the top threats as reported by antivirus vendors:
Sophos' top 10 list of viruses and worms.
1. W32/Bugbear-A 29.4%
2. W32/Braid-A 8.5%
3. W32/Klez-H 7.7%
4. W32/Opaserv-A 5.4%
5. W32/Opaserv-C 5.1%
6. W32/Flcss 4.6%
7. W95/Spaces 3.3%
8. W32/Opaserv-F 2.5%
9. W32/Opaserv-B 2.1%
10. W32/Opaserv-D 2.0%
Panda Software's top 10 list for November.
6.W32/Elkern. C 5.62%
MessageLabs' list of intercepted viruses and worms for the month.
W32/BugBear-mm 80593 [Also known as BugBear]
EML/Greeting-Card.E 45182 [www.friend-greeting.com]
W32/Braid.A-mm 19584 [README.EXE]
EML/Greeting-Card.J 7911 [Uses IP address instead of domain name]
W32/Klez.E-mm 4511 [PIF sending version]