Article

Klez dominates slow year for malicious code

Edward Hurley, News Writer

One word can sum up the virus landscape for 2002: Klez.

Variants of the pesky worm spread continuously from April through the end of the year. Antivirus vendor Sophos said Klez was the top virus for the year and accounted for 24% of all viruses reported to the firm. Antivirus software vendor Trend Micro said 6,233,714 computers have been infected with Klez since April 17. Klez is also the most active worm ever according to e-mail security outsourcer MessageLabs.

Virus Year in Review:

    Requires Free Membership to View

SearchSecurity Featured Topic on Klez

SearchSecurity Featured Topic on Bugbear

SearchSecurity news exclusive: "Nasty Gigger worm a slow mover"

SearchSecurity news exclusive: "Clinton worm tries to delete drives, files"

SearchSecurity news exclusive: "Two new worms carry international flavor"

SearchSecurity news exclusive: "Surnova worm takes liking to peer-to-peer, IM networks"

SearchSecurity news exclusive: "'Braid' worm drops FunLove virus"
Feedback on this story? Send your comments to News Writer Edward Hurley

Klez was successful for a variety of reasons, experts said. First, it exploited a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer that allowed the worm to execute without the infected attachment being opened.

Klez also spoofed e-mail addresses in an attempt to trick users into opening the worm, thinking it came from a known party. Klez was particularly good at harvesting e-mail addresses from a host of files on infected systems. It could pluck addresses from everything from Excel documents to cached Web pages. Using its own SMTP engine, it could shoot out thousands of infected e-mails.

The second major virus of the year arrived a little later. Bugbear surfaced in October as an attachment to a message featuring a host of subject lines and message bodies. It had many of the features of Klez with one twist. It installed a key-logging program that could harvest passwords, usernames, credit card numbers and other sensitive information. The worm also opened a back door on port 36794, which allowed the worm's writer to steal that information.

While Klez and Bugbear were the dominant malicious code for the year, there were other more minor infections. One of the first viruses of 2002 was Gigger. It arrived as an e-mail message with a subject line reading: "Outlook Express Update" and an attachment. When executed, Gigger set the Autoexec.bat file to reformat the hard drive when the computer is restarted.

A few weeks later MyParty arrived. It arrived in an e-mail with the subject line: "new photos from my party!" The message appears to have a link to "www.myparty.yahoo.com," but clicking on it executed the virus.

In March, the Caric-A worm appeared disguised as a screensaver featuring former U.S. President Bill Clinton. When executed, it displayed a picture of the former president playing his trademark saxophone, but it also made some potentially devastating changes to a user's hard drive.

Bill Clinton isn't the only celebrity to have viruses use them in 2002. Pop stars Britney Spears and Shakira both had malicious code referencing them. VBS/Chick-C was a Visual Basic Script worm that arrived as an e-mail attachment purporting to be a new video from Columbian songstress Shakira. The worm was similar to VBS/Britney-A, a worm that surfaced in March. The worm masqueraded itself as a picture of Spears.

Beyond interest in celebrities, other viruses played off users' greed. In July, Surnova-B floated around the Kazaa network and disguised itself as enticing applications such as a Windows XP key generator. When a Kazaa user downloads and executes the file, the worm tries to spread itself using MSN Messenger and through Kazaa.

The end of the year was pretty slow for new viruses with the exception of Bugbear and in November the Braid worm. The worm signed its own death warrant by including a copy an own virus in it. It dropped a copy of the FunLove virus when infecting a system.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: