Perennial pest Klez has been knocked off the perch it has held for the last year and a half. Two new worms, Palyh and Fizzer, had a strong showing and made antivirus vendors' lists of the most prevalent malicious code for the month of May.
Neither Palyh nor Fizzer were technically advanced, but both managed to make some inroads, even if for just a couple of days.
Fizzer was quite paradoxical; it was both pretty complex and quite simple. The worm could spread via network file shares and by mailing itself out using it own SMTP engine. It also dropped a copy of itself into Kazaa shared folders when infecting systems. Fizzer was also trilingual, using random subject lines and message bodies written in Dutch, German and English. Fizzer also randomly generated e-mail addresses, a trick probably borrowed from spammer technology.
Palyh used a neat social engineering trick to entice users to open its infected attachment. It spoofed the e-mail address email@example.com, so the message appeared to come from support services at Microsoft Corp. In addition to the bogus return address, the worm used various official sounding subject lines, such as "Your password" and "Re: My details," as well as "Approved (Ref:38446-263)." The body text of the message says, "All information is in the attached file."
Palyh also harvested e-mail addresses from infected systems by searching various common files, such as text and Web pages. In theory, one infected system could fire out thousands of messages containing the worm.
June started with a bang on the virus front. Sobig-C managed to spread rapidly on Sunday but seemed to peter out early in the week. Like Palyh, that worm searched local files for e-mail addresses and then sent many copies of itself.
Here are the lists of top viruses and worms from various antivirus software vendors.
Central Command's top 12 virus and worms for May:
1. Worm/Palyh (Sobig.B) 22.4%
2. Worm/Klez.E (including G) 19.7%
3. Worm/Sobig.A 8.3%
4. Worm/Fizzu.A 6.0%
5. Worm/Yaha.E 3.6%
6. W32/Funlove.4099 3.1%
7. Worm/W32.Sircam 2.5%
8. Worm/Bride.A 2.2%
9. Worm/Lovegate.F 1.5%
10. Worm/Yaha.M 1.1%
11. W32/Nimda 1.1%
12. Worm/BugBear 0.9%
Sophos Inc.'s top 10 list for the month:
1. W32/Palyh-A (Palyh) 19.9%
2. W32/Fizzer-A (Fizzer) 9.8%
3. W32/Klez-H (Klez) 7.1%
4. W32/Lovgate-E (Lovgate) 4.2%
5. W32/Sobig-A (Sobig) 3.1%
6. W32/ElKern-C (ElKern) 2.4%
7. W32/Bugbear-A (Bugbear) 1.9%
8. W32/Yaha-P (Yaha) 1.6%
9. W32/Nimda-D (Nimda) 1.4%
10. W32/Opaserv-G (Opaserv) 1.1%
Kaspersky Labs' top 20 list of malicious code for May:
1. I-Worm.Sobig 21.87%
2. I-Worm.Lentin 15.95%
3. I-Worm.Klez 15.39%
4. I-Worm.Fizzer 0.67%
5. I-Worm.Roron 0.51%
6. Worm.Win32.Randon 0.38%
7. I-Worm.Ganda 0.28%
8. Macro.Word97.Thus 0.28%
9. Backdoor.Assasin 0.24%
10. I-Worm.Tanatos 0.21%
11. Backdoor.Optix 0.20%
12. Backdoor.IRC.Zcrew 0.19%
13. Win32.Parite 0.17%
14. Win32.FunLove 0.17%
15. Backdoor.IRC.Flood 0.16%
16. TrojanDropper.JS.Mimail 0.16%
17. VBS.Redlof 0.15%
18. Backdoor.IRC.mIRC-based 0.14%
19. Backdoor.SdBot.gen 0.12%
20. TrojanDownloader.Win32.Swizzor 0.12%
Other malicious programs 42.66%
FOR MORE INFORMATION:
FEEDBACK: Why has Sobig.C enjoyed so much success if enterprises have seen two previous variants?
Send your feedback to the SearchSecurity.com news team.