Klez spread slowing to a trickle

By Edward Hurley, News Writer 03 Sep 2002 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Klez was still the most active malicious code in August, but its reign seems to be slowing as it's not racking up the numbers it did earlier in the year.

For example, U.K.-based antivirus vendor Sophos estimated Klez (G and H variants) accounted for 77.8% of support calls in April. In August, Klez only accounted for 17% but that was enough to take the top spot for the month.

RECENT VIRUS COVERAGE: SearchSecurity news exclusive: "Virus infections down in July; Klez still reigns" SearchSecurity news exclusive: "Virus management: Never a dull moment" SearchSecurity news exclusive: "Five ways to be virus-free" Feedback on this story? Send your comments to News Writer Edward Hurley

Discovered early this year, variants of Klez have dominated the virus landscape ever since. The worm contains several features that make it difficult to detect, like using dozens of subject lines. It also "spoofs" e-mail addresses so it appears an infected e-mail message is coming from one person when in fact it's coming from a different system.

Klez also searches infected machines for e-mail addresses in everything from documents to cached Web pages. It then mails copies of itself out to the various addresses using its own SMTP engine.

Additionally, some variants of Klez dropped the Elkern virus, which targets executables, into systems while spreading.

"Klez-H and its nasty bedfellow ElKern-C, have accounted for almost a quarter of enquiries to Sophos' support center this month, even though protection has been available since February," said Sophos in a release. "Users getting caught out by them appear not to have updated their anti-virus software in six months."

Likewise, Command Central saw Klez accounting for 79.2% of virus activity in April but by its calculations W32/Yaha.E surpassed Klez in August. "After five months, we have finally seen a switch at the top as W32/Yaha.E surpasses Klez securing the pole position," said Steven Sundermeier product manager at Central Command, Inc.

W32/Yaha.E travels in e-mail messages with a love- or friendship-themed subject line. It can also exploit security holes in MSN Messenger and ICQ instant messaging. "Peer-2-Peer networks like ICQ and MSN Messenger in conjunction with file sharing networks like Napster and Kazaa are beginning to play a pivotal role in the distribution of this latest breed of viruses in 2002," Sundermeier said.

Below are the monthly virus numbers from different antivirus vendors (including Sophos and Command Central):

Sophos' top list of viruses for August:
1. W32/Klez-H (Klez variant)    17.0%
2. W32/Yaha-E (Yaha variant)    6.4%
2. JS/NoClose   6.4%
4. W32/Badtrans-B (Badtrans variant)    5.3%
5. W32/ElKern-C (ElKern variant)    5.1%
6. W32/Higuy-A    2.7%
7. W32/Datom-A    2.4%
8. W32/Magistr-B (Magistr variant)    2.1%
9. W32/Sircam-A    1.9%
10. W32/Nimda-D     1.6%
Others:   49.1%

MessageLabs top ten malicious code for the last four weeks (through Sept. 2):
1.W32/Klez.H-mm
2.W32/Yaha.E-mm
3.W32/SirCam.A-mm
4.W32/Klez.E-mm
5.W32/Yaha.C-mm
6.W32/Magistr.B-mm
7.W32/Hybris.B-mm
8.W32/Magistr.A-mm
9. W32/Nimda.E-mm
10.W32/Tettona.A-mm

Command Central's most prevalent viruses list:
1. W32/Yaha.E   33.8%
2. Worm/Klez.E (includes G variant)    31.0%
3. Worm/W32.Sircam   8.9%
4. W32/Elkern.C   8.8%
5. W32/Magistr.B   3.1%
6. W32/Nimda    1.9%
7. W95/Hybris   1.7%
8. W32/Magistr.A   1.4%
9. W32/Funlove   1.1%
10. Worm/Badtrans.B    0.8%
11. W95/CIH   0.8%
12. W95/Spaces   0.7%
Others:    6.0%

Trend Micro's top list of viruses for the last 30 days (through Sept. 2):
1. Worm Klez.H
2. PE Funlove.4099
3. PE Nimda.E
4. PE Elkern.D
5. Worm Sircam.A
6. Worm Yaha.E
7. HTML Ifrmexp.Gen
8. Klez.E
9. Hybris.B
10. JS NoClose.E

Kaspersky Labs 's top 20 list of viruses and worms for August by occurrence:
1. I-Worm.Klez    76.45%
2. I-Worm.Lentin    21.66%
3. Win95.CIH    0.45%
4. Abba    0.24%
5. I-Worm.Hybris    0.10%
6. Win32.FunLove    0.07%
7. I-Worm.Sircam    0.03%
8. I-Worm.Magistr    0.01%
9. Win95.Tecata    0.01%
10. Backdoor.Antilam    0.01%
11. I-Worm.HappyTime    0.01%
12. Trojan.Win32.Filecoder    0.01%
13. Armageddon    0.01%
14. Backdoor.Arcanum    0.01%
15. Attention    0.01%
16. I-Worm.BadtransII    0.01%
17. Backdoor.Cabrotor    0.01%
18. Trojan.PSW.Stealth    0.01%
19. Backdoor.Death    0.01%
20. Trojan.JS.Seeker    0.01%

Digg This!     StumbleUpon     Del.icio.us

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary