August is likely to go down as one of the worst months for worms ever.
For most of the year, experts have predicted the decline of mass-mailing worms and warned of an increase in network worms such as Nimda and SQL Slammer. Enterprises were hit by two of each type in August, and they caused millions in damage, lost productivity and network downtime.
"The top four viruses are all new entries -- any of which would have been No. 1 in a normal month," said Chris Belthoff, senior security analyst at U.K.-based antivirus vendor Sophos PLC.
The biggest offender was the Sobig-F worm, a mass mailer that hit e-mail inboxes hard.
"The Sobig-F worm clogged up inboxes and crippled networks with the sheer volume of e-mail traffic it produced," Belthoff said.
At first glance, it seems Sobig-F shouldn't have been as successful as it was. It didn't use particularly good social engineering, traveling as a .pif or .scr file, which most enterprises block at the gateway.
"Sobig-F didn't infect [many] more systems than Sobig-E," said Mikko Hypponen, manager of antivirus research for Helsinki, Finland-based F-Secure Corp. But the variant's improved mailing routine enabled it to pump out thousands of e-mails from infected systems using its own SMTP engine. While companies may not have been infected by it, they saw their networks slow to a crawl because of the excess e-mail traffic.
Previous versions also contained a bug that sometimes
Experts say that, unlike the other major worms of the month, Sobig-F was probably created by an organized group, which uses the worms to create open relays for forwarding spam. "It's clear that the variants are revisions. The Sobig worms are clearly a business operation," Hypponen said.
The month started with a bang with Mimail-A. Another mass mailer, Mimail-A arrived as an attachment to an e-mail purporting to be from an enterprise's e-mail administrator. For example, someone with a searchsecurity.com e-mail domain would get a message from "email@example.com."
By midmonth, the worm everyone was waiting for arrived. Known both as Lovsan-A and Blaster, the network worm exploited a critical vulnerability in Windows Remote Procedure Call (RPC), which was disclosed in July. "It came out about four or five weeks after, which is typically the time it takes for someone to write such a worm," Hypponen said.
Blaster made such traction that someone created another worm, Nachi, also known as Welchia, that tried to patch the RPC flaw and disinfect systems. Alas, the benevolent worm caused more problems than it solved. The worm caused a spike in Internet Control Message Protocol (ICMP) traffic on local networks as it scanned for other vulnerable systems to infect.
If that antiworm worm wasn't weird enough, a new variant of an old worm was probably the most problematic of the month. Sobig-F, a mass-mailer worm, had a huge impact.
Here are vendors' lists of the most prevalent malicious code for the month.
Sophos' top 10 virus and worm list1. W32/Sobig-F 37.6%
2. W32/Blaster-A 18.8%
3. W32/Nachi-A 5.5%
4. W32/Mimail-A 5.3%
5. W32/Yaha-P 2.1%
6. W32/Klez-H 1.3%
7. W32/Bugbear-B 1.1%
8. W32/Yaha-E 0.8%
9. W32/Dumaru-A 0.6%
10. W32/Sobig-A 0.3%
Kaspersky Labs' top 20 list of malicious code1. I-Worm.Sobig 61.49%
2. I-Worm.Mimail 4.06%
3. I-Worm.Tanatos 3.49%
4. Worm.Win32.Lovesan 3.17%
5. I-Worm.Klez 1.09%
6. I-Worm.Lentin 0.67%
7. Worm.P2P.SpyBot 0.66%
8. Macro.Word97.Thus 0.60%
9. Macro.Word97.Saver 0.60%
10. Backdoor.BeastDoor 0.50%
11. Backdoor.SdBot 0.48%
12. Win32.Parite 0.41%
13. VBS.Redlof 0.36%
14. Backdoor.Optix.Pro 0.29%
15. I-Worm.Roron 0.25%
16. TrojanDropper.Win32.Freshbind 0.22%
17. Worm.Win32.Muma 0.20%
18. Win32.Xorala 0.19%
19. Worm.Win32.Welchia 0.19%
20. I-Worm.Gibe 0.19%
Other. Other 20.86%
Central Command's most prevalent malicious code list1. Worm/Sobig.F 76.8%
2. Worm/Lovsan.A 6.4%
3. Worm/MiMail.A 5.1%
4. Worm/Nachi.A 4.0%
5. Worm/Klez.E (including G) 2.1%
6. Worm/Dumaru.A 2.0%
7. Worm/Sobig.A 0.9%
8. Worm/BugBear.B 0.7%
9. Worm/Sircam.A 0.6%
10. W32/Yaha.E 0.5%
11. Worm/Sobig.C 0.4%
12. Worm/Sobig.E 0.2%