Article

Palyh, Fizzer remove Klez from its perch

Edward Hurley, SearchSecurity.com News Writer

Perennial pest Klez has been knocked off the perch it has held for the last year and a half. Two new worms, Palyh and Fizzer, had a strong showing and made antivirus vendors' lists of the most prevalent malicious code for the month of May.

Neither Palyh nor Fizzer were technically advanced, but both managed to make some inroads, even if for just a couple of days.

Fizzer was quite paradoxical; it was both pretty complex and quite simple. The worm could spread via network file shares and by mailing itself out using it own SMTP engine. It also dropped a copy of itself into Kazaa shared folders when infecting systems. Fizzer was also trilingual, using random subject lines and message bodies written in Dutch, German and English. Fizzer also randomly generated e-mail addresses, a trick probably borrowed from spammer technology.

Palyh used a neat social engineering trick to entice users to open its infected attachment. It spoofed the e-mail address support@microsoft.com, so the message appeared to come from support services at Microsoft Corp. In addition to the bogus return address, the worm used various official sounding subject lines, such as "Your password" and "Re: My details," as well as "Approved (Ref:38446-263)." The body text of the message says, "All information is in the attached file."

Palyh also harvested e-mail addresses from infected systems by searching various common files, such as text and Web pages. In theory, one infected system

    Requires Free Membership to View

could fire out thousands of messages containing the worm.

June started with a bang on the virus front. Sobig-C managed to spread rapidly on Sunday but seemed to peter out early in the week. Like Palyh, that worm searched local files for e-mail addresses and then sent many copies of itself.

Here are the lists of top viruses and worms from various antivirus software vendors.

Central Command's top 12 virus and worms for May:
1. Worm/Palyh (Sobig.B) 22.4%
2. Worm/Klez.E (including G) 19.7%
3. Worm/Sobig.A 8.3%
4. Worm/Fizzu.A 6.0%
5. Worm/Yaha.E 3.6%
6. W32/Funlove.4099 3.1%
7. Worm/W32.Sircam 2.5%
8. Worm/Bride.A 2.2%
9. Worm/Lovegate.F 1.5%
10. Worm/Yaha.M 1.1%
11. W32/Nimda 1.1%
12. Worm/BugBear 0.9%
Others 27.6%

Sophos Inc.'s top 10 list for the month:
1. W32/Palyh-A (Palyh) 19.9%
2. W32/Fizzer-A (Fizzer) 9.8%
3. W32/Klez-H (Klez) 7.1%
4. W32/Lovgate-E (Lovgate) 4.2%
5. W32/Sobig-A (Sobig) 3.1%
6. W32/ElKern-C (ElKern) 2.4%
7. W32/Bugbear-A (Bugbear) 1.9%
8. W32/Yaha-P (Yaha) 1.6%
9. W32/Nimda-D (Nimda) 1.4%
10. W32/Opaserv-G (Opaserv) 1.1%
Others 47.5%

Kaspersky Labs' top 20 list of malicious code for May:
1. I-Worm.Sobig 21.87%
2. I-Worm.Lentin 15.95%
3. I-Worm.Klez 15.39%
4. I-Worm.Fizzer 0.67%
5. I-Worm.Roron 0.51%
6. Worm.Win32.Randon 0.38%
7. I-Worm.Ganda 0.28%
8. Macro.Word97.Thus 0.28%
9. Backdoor.Assasin 0.24%
10. I-Worm.Tanatos 0.21%
11. Backdoor.Optix 0.20%
12. Backdoor.IRC.Zcrew 0.19%
13. Win32.Parite 0.17%
14. Win32.FunLove 0.17%
15. Backdoor.IRC.Flood 0.16%
16. TrojanDropper.JS.Mimail 0.16%
17. VBS.Redlof 0.15%
18. Backdoor.IRC.mIRC-based 0.14%
19. Backdoor.SdBot.gen 0.12%
20. TrojanDownloader.Win32.Swizzor 0.12%
Other malicious programs 42.66%

FOR MORE INFORMATION:

SearchSecurity.com news exclusive: "Spoofing ability gives Palyh worm some legs"

SearchSecurity.com news exclusive: "Fizzer worm drops Trojan, keystroke logger"

SearchSecurity.com news exclusive: "Fizzer threat level rises"

FEEDBACK: Why has Sobig.C enjoyed so much success if enterprises have seen two previous variants?
Send your feedback to the SearchSecurity.com news team.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: