Worms that prey on users' distrust of vulnerable Microsoft software continue to make their way around the Internet, and in October, were the most prevalent worms on record.
The Swen worm, also known as Gibe-F, and Dumaru took the top spots on lists compiled by three leading antivirus software providers. Sober-A, which appeared late in October, also cracked the top 10 on most lists, as did standbys like Bugbear, Sobig, Klez and Blaster.
Swen arrives as either an attachment to an HTML e-mail masquerading as a Microsoft patch alert. In some cases, Swen is distributed as an e-mail delivery failure notice. The worm attempts to disable antivirus and other security software and spreads through network files shares or via e-mail. Its initial success likely came because it was seeded shortly after new vulnerabilities in Windows RPC-DCOM were announced in mid-September.
Sophos PLC, a U.K.-based antivirus provider, said Swen accounted for 22.7% of viruses reported to the vendor. Central Command, an antivirus and security services provider based in Medina, Ohio, said Swen accounted for 54% of reports last month.
Dumaru, meanwhile, is an e-mail worm that appears to come from firstname.lastname@example.org. It drops a keystroke-logging program called Troj/Small-G, and those logs can be uploaded by the author to a remote FTP server.
Sober-A, meanwhile, plays off of users' fears about viruses and pretends to be a fix for malicious code. It enjoyed moderate success in spreading, primarily because it traveled with varying subject lines and message text in English and German.
Sober-A, however, is a mass-mailing worm, and it attempts to induce users to double-click on an infected executable attachment. Most enterprises should be immune to Sober-A because administrators generally block executable file extensions at the gateway.
Here is a sampling of the top 10 lists for October.
Sophos' top 10 list for October:1. W32/Gibe-F (Gibe variant) 22.7%
2. W32/Dumaru-A (Dumaru virus) 13.6%
3. W32/Mimail-A (Mimail worm) 12.4%
4. W32/Sobig-F (Sobig variant) 9.0%
5. W32/Klez-H (Klez variant) 4.4%
6. W32/Nachi-A (Nachi worm) 4.3%
7. W32/Blaster-A (Blaster worm) 2.4%
8. Troj/CoreFloo-C 2.1%
9. W32/Bugbear-B 1.6%
10. Rox-A 1.0%
Kaspersky Labs' top 10 list for October:1. I-Worm.Swen 70.94%
2. I-Worm.Tanatos 1.13%
3. I-Worm.Mimail 1.07%
4. I-Worm.Win32.Lovesan 0.89%
5. Backdoor.SdBot 0.70%
6. I-Worm.Sober 0.63%
7. Worm.P2P.SpyBot 0.59%
8. I-Worm.Sobig 0.52%
9. Backdoor.Ciadoor 0.47%
10. VBS.Redlof 0.39%
Central Command's top 10 list for October:1. Worm/Gibe-C 54.7%
2. Worm/Dumaru-A 7.6%
3. Worm/Klez-E 7.0%
4. Worm/Mimail-A 5.9%
5. Worm/Sober 3.8%
6. Worm/Sobig-F 1.7%
7. Worm/Nachi-A 1.5%
8. Worm/BugBear-B 1.3%
9. Worm/Lovsan-A 1.1%
10. Worm/Yaha-P 0.9%