News Stay informed about the latest enterprise technology news and product updates.

Slammer had company in January

Security experts hope January is not a sign of things to come for 2003.

The Slammer worm caused a lot of racket at the end of January, but there were three e-mail-based worms earlier in the month that caused their own share of misery.

"If the month of January is any sign of the year to come, we could be in for a very long year," said Steven Sundermeier product manager at Central Command, Inc. of Medina, Ohio.

The month started with a bang with Yaha.K, a variant of a worm that first appeared late last year. Within a week, the Sobig worm hit, followed a week or so later by the Lirva worm.

Yaha.K broke late in December but spread well into January. The worm dropped three executable files into infected machines. One of the executables tries to disable antivirus and firewall processes. The worm travels with a variety of subject lines playing off interest in sports and computing in addition to more prurient interests.

Sobig's success was tied to its ability to mail itself out via its own SMTP engine. It also spread via local network shares. The worm harvested potential target e-mail addresses by searching text files and files with extensions like .dbx, .htm, .eml, .wab and .html.

The Lirva worm (also known as Naith and Avril) used interest in Canadian pop princess Avril Lavigne to spread. Variants of the worm accounted for almost 30% of support calls to U.K.-based enterprise antivirus vendor Sophos. In fact, the two variants of the worm took the first and second place on Sophos' monthly top 10 list of viruses and worms.

The three worms together they accounted for 36.1% of all total infections recorded by Central Command. "They all utilized the well known vulnerability that allows for an attachment to be automatically executed within the preview pane of Microsoft Outlook," Sundermeier said.

The Slammer worm doesn't appear in any of the antivirus companies' top threats list because of the way they measure activity. Taking estimates of Slammer's progress, Kaspersky Labs calculated Slammer would have equaled nearly 50% of all malware activity for the month, easily taking the top spot for the month.

Here are the monthly lists from various antivirus companies:

Sophos' top 10 viruses and worms of the month.
1. W32/Avril-B 16.8%
2. W32/Avril-A 12.4%
3. W32/Klez-H 12.1%
4. W32/Sobig-A 6.1%
5. W32/Yaha-K 5.7%
6. W32/Bugbear-A 5.6%
7. W32/Yaha-E 3.3%
8. W32/ElKern-C 2.1%
9. W95/Spaces 1.5%
10. W32/Flcss 1.2%
Others 33.2%

Central Command's top 12 viruses and worms for January
1. Worm/Klez.E (incl. G variant) 27.2%
2. W32/Yaha.E 17.7%
3. Worm/Sobig.A 11.9%
4. Worm/Avril.A 10.8%
5. Worm/Yaha.M2 7.4%
6. Worm/Avril.B 6.0%
7. Worm/Bugbear 2.3%
8. Worm/Sircam.C 1.4%
9. W32/Elkern.C 1.3%
10. W32/Funlove 0.6%
11. W32/Nimda 0.5%
12. Worm/Opasoft 0.4%
Others 12.5%

Kaspersky Labs' top 20 most widespread malicious programs
1. I-Worm.Klez 16.65%
2. I-Worm.Lentin 8.75%
3. I-Worm.Sobig 6.57%
4. I-Worm.Avron 6.55%
5. Macro.Word97.Thus 5.17%
6. I-Worm.Hybris 3.13%
7. I-Worm.Roron 2.46%
8. I-Worm.Tanatos 1.92%
9. Backdoor.NetDevil 1.25%
10. Macro.Word97.Saver 1.17%
11. I-Worm.Magistr 0.95%
12. Macro.Word97.Marker 0.95%
13. Worm.Win32.Opasoft 0.79%
14. I-Worm.KakWorm 0.76%
15. Win95.CIH 0.72%
16. Trojan.Spy.SCKeyLog 0.71%
17. Backdoor.Death 0.67%
18. VBS.Redlof 0.66%
19. Win32.Elkern 0.66%
20. Win32.FunLove 0.65%
Other.Other dangerous programs 38.87%

FOR MORE INFORMATION: news exclusive: Yaha worm no longer a business threat news exclusive: ExploreZip, Avril worms a headache for businesses news exclusive: Worms off to fast start in 2003

Past Virus Roundups

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.