News Stay informed about the latest enterprise technology news and product updates.

Klez dominates slow year for malicious code

The numbers tell the story for viruses and 2002.

One word can sum up the virus landscape for 2002: Klez.

Variants of the pesky worm spread continuously from April through the end of the year. Antivirus vendor Sophos said Klez was the top virus for the year and accounted for 24% of all viruses reported to the firm. Antivirus software vendor Trend Micro said 6,233,714 computers have been infected with Klez since April 17. Klez is also the most active worm ever according to e-mail security outsourcer MessageLabs.

Virus Year in Review:
SearchSecurity Featured Topic on Klez

SearchSecurity Featured Topic on Bugbear

SearchSecurity news exclusive: "Nasty Gigger worm a slow mover"

SearchSecurity news exclusive: "Clinton worm tries to delete drives, files"

SearchSecurity news exclusive: "Two new worms carry international flavor"

SearchSecurity news exclusive: "Surnova worm takes liking to peer-to-peer, IM networks"

SearchSecurity news exclusive: "'Braid' worm drops FunLove virus"
Feedback on this story? Send your comments to News Writer Edward Hurley

Klez was successful for a variety of reasons, experts said. First, it exploited a MIME and an IFRAME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express and Internet Explorer that allowed the worm to execute without the infected attachment being opened.

Klez also spoofed e-mail addresses in an attempt to trick users into opening the worm, thinking it came from a known party. Klez was particularly good at harvesting e-mail addresses from a host of files on infected systems. It could pluck addresses from everything from Excel documents to cached Web pages. Using its own SMTP engine, it could shoot out thousands of infected e-mails.

The second major virus of the year arrived a little later. Bugbear surfaced in October as an attachment to a message featuring a host of subject lines and message bodies. It had many of the features of Klez with one twist. It installed a key-logging program that could harvest passwords, usernames, credit card numbers and other sensitive information. The worm also opened a back door on port 36794, which allowed the worm's writer to steal that information.

While Klez and Bugbear were the dominant malicious code for the year, there were other more minor infections. One of the first viruses of 2002 was Gigger. It arrived as an e-mail message with a subject line reading: "Outlook Express Update" and an attachment. When executed, Gigger set the Autoexec.bat file to reformat the hard drive when the computer is restarted.

A few weeks later MyParty arrived. It arrived in an e-mail with the subject line: "new photos from my party!" The message appears to have a link to "," but clicking on it executed the virus.

In March, the Caric-A worm appeared disguised as a screensaver featuring former U.S. President Bill Clinton. When executed, it displayed a picture of the former president playing his trademark saxophone, but it also made some potentially devastating changes to a user's hard drive.

Bill Clinton isn't the only celebrity to have viruses use them in 2002. Pop stars Britney Spears and Shakira both had malicious code referencing them. VBS/Chick-C was a Visual Basic Script worm that arrived as an e-mail attachment purporting to be a new video from Columbian songstress Shakira. The worm was similar to VBS/Britney-A, a worm that surfaced in March. The worm masqueraded itself as a picture of Spears.

Beyond interest in celebrities, other viruses played off users' greed. In July, Surnova-B floated around the Kazaa network and disguised itself as enticing applications such as a Windows XP key generator. When a Kazaa user downloads and executes the file, the worm tries to spread itself using MSN Messenger and through Kazaa.

The end of the year was pretty slow for new viruses with the exception of Bugbear and in November the Braid worm. The worm signed its own death warrant by including a copy an own virus in it. It dropped a copy of the FunLove virus when infecting a system.

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.