Palyh, Fizzer remove Klez from its perch

May was the crowning moment for the Palyh and Fizzer worms, both of which took over the top spots on the lists of prevalent malicious code released by the antivirus vendors.

Perennial pest Klez has been knocked off the perch it has held for the last year and a half. Two new worms, Palyh and Fizzer, had a strong showing and made antivirus vendors' lists of the most prevalent malicious code for the month of May.

Neither Palyh nor Fizzer were technically advanced, but both managed to make some inroads, even if for just a couple of days.

Fizzer was quite paradoxical; it was both pretty complex and quite simple. The worm could spread via network file shares and by mailing itself out using it own SMTP engine. It also dropped a copy of itself into Kazaa shared folders when infecting systems. Fizzer was also trilingual, using random subject lines and message bodies written in Dutch, German and English. Fizzer also randomly generated e-mail addresses, a trick probably borrowed from spammer technology.

Palyh used a neat social engineering trick to entice users to open its infected attachment. It spoofed the e-mail address support@microsoft.com, so the message appeared to come from support services at Microsoft Corp. In addition to the bogus return address, the worm used various official sounding subject lines, such as "Your password" and "Re: My details," as well as "Approved (Ref:38446-263)." The body text of the message says, "All information is in the attached file."

Palyh also harvested e-mail addresses from infected systems by searching various common files, such as text and Web pages. In theory, one infected system could fire out thousands of messages containing the worm.

June started with a bang on the virus front. Sobig-C managed to spread rapidly on Sunday but seemed to peter out early in the week. Like Palyh, that worm searched local files for e-mail addresses and then sent many copies of itself.

Here are the lists of top viruses and worms from various antivirus software vendors.

Central Command's top 12 virus and worms for May:
1. Worm/Palyh (Sobig.B) 22.4%
2. Worm/Klez.E (including G) 19.7%
3. Worm/Sobig.A 8.3%
4. Worm/Fizzu.A 6.0%
5. Worm/Yaha.E 3.6%
6. W32/Funlove.4099 3.1%
7. Worm/W32.Sircam 2.5%
8. Worm/Bride.A 2.2%
9. Worm/Lovegate.F 1.5%
10. Worm/Yaha.M 1.1%
11. W32/Nimda 1.1%
12. Worm/BugBear 0.9%
Others 27.6%

Sophos Inc.'s top 10 list for the month:
1. W32/Palyh-A (Palyh) 19.9%
2. W32/Fizzer-A (Fizzer) 9.8%
3. W32/Klez-H (Klez) 7.1%
4. W32/Lovgate-E (Lovgate) 4.2%
5. W32/Sobig-A (Sobig) 3.1%
6. W32/ElKern-C (ElKern) 2.4%
7. W32/Bugbear-A (Bugbear) 1.9%
8. W32/Yaha-P (Yaha) 1.6%
9. W32/Nimda-D (Nimda) 1.4%
10. W32/Opaserv-G (Opaserv) 1.1%
Others 47.5%

Kaspersky Labs' top 20 list of malicious code for May:
1. I-Worm.Sobig 21.87%
2. I-Worm.Lentin 15.95%
3. I-Worm.Klez 15.39%
4. I-Worm.Fizzer 0.67%
5. I-Worm.Roron 0.51%
6. Worm.Win32.Randon 0.38%
7. I-Worm.Ganda 0.28%
8. Macro.Word97.Thus 0.28%
9. Backdoor.Assasin 0.24%
10. I-Worm.Tanatos 0.21%
11. Backdoor.Optix 0.20%
12. Backdoor.IRC.Zcrew 0.19%
13. Win32.Parite 0.17%
14. Win32.FunLove 0.17%
15. Backdoor.IRC.Flood 0.16%
16. TrojanDropper.JS.Mimail 0.16%
17. VBS.Redlof 0.15%
18. Backdoor.IRC.mIRC-based 0.14%
19. Backdoor.SdBot.gen 0.12%
20. TrojanDownloader.Win32.Swizzor 0.12%
Other malicious programs 42.66%

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Spoofing ability gives Palyh worm some legs"

SearchSecurity.com news exclusive: "Fizzer worm drops Trojan, keystroke logger"

SearchSecurity.com news exclusive: "Fizzer threat level rises"

FEEDBACK: Why has Sobig.C enjoyed so much success if enterprises have seen two previous variants?
Send your feedback to the SearchSecurity.com news team.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close