Onderstaand vindt u een overzicht en analyse van Trend Micro van de top tien virussen die in mei actief waren. In mei braken twee grote virussen uit: de Fizzer worm en de Sobig.B worm, beter bekend als Palyh.A. Beide virussen zijn terug te vinden in de de top tien.
Voor meer informatie:
Trend Micro
Anna Wright
EMEA PR Manager Trend Micro Europe
Tel: +44 (0)1628 400534
E-mail: Anna_Wright@trendmicro.co.uk
Lammers van Toorenburg PR
Francine Loos / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: francine@lvtpr.nl / annegees@lvtpr.nl
# # #
New Windows Worms At Work in May
Network-aware viruses top the monthly threat list as Klez.H slips
Marlow, UK - June 3, 2003 - Computer virus activity apparently picked up in May, rebounding from the low level recorded in April, the quietest month so far in 2003. Antivirus vendor Trend Micro (TSE:4704, Nasdaq: TMIC) issued twelve new advisories in May, including two medium-risk 'yellow alerts', compared to just eight advisories in April, all low risk. Recent virus advisories can be seen online at http://www.trendmicro.com/vinfo/.
Two of the month's new threats were both interesting enough to win media coverage and powerful enough to reach the top ten. The Fizzer worm (Worm_Fizzer.A), discovered May 13, spreads through rather aggressive e-mailing techniques and also through the Kazaa P2P file sharing network. Like many other recent 'mixed threats,' it contains backdoor features designed to steal data - in this case a keylogger. It also logs on to IRC (Internet Relay Chat) channels, presumably to allow communication with the writer/hacker. This last feature is poorly executed but managed to disrupt traffic on many IRC channels, leading IRC operators to band together and take steps to defend against it. Several observers have noted that the Fizzer worm is hindered by bugs or sloppy writing in several places, warning that it could easily have been more effective if the writer had 'polished' it further.
Running slightly behind Fizzer, the Sobig.B worm (a.k.a. Palyh.A) is best known for faking a Microsoft email address and pretending to be a message from the software company's tech support desk. The deception is fairly simple, but it's enough to fool some users into opening the attachment without wondering why Microsoft is sending them a file for no apparent reason. Sobig.B has another unusual feature - a line in its code will apparently prevent it from spreading after May 31. Infected users will still need to find and remove the worm's components, but the built-in expiration date should make this one less threat to worry about in June.
TOP TEN VIRUSES¹ - MAY 2003
1. WORM_LOVGATE.F
2. PE_FUNLOVE.4099
3. PE_ELKERN.D
4. WORM_YAHA.G
5. WORM_KLEZ.H
6. PE_NIMDA.A-O
7. WORM_LOVGATE.G
8. WORM_FIZZER.A
9. PE_CIH.DAM
10. WORM_PALYH.A (a.k.a WORM_SOBIG.B)
Trend Micro's list of the ten most common viruses detected in May is topped by two "network-aware" worms: one fairly new (Worm_Lovgate.F) and one an old standby (PE_Funlove.4099). These worms simply use network connections, such as shared or mapped drives, to quickly spread to other computers on a local area network (LAN), and can cause thousands of infections in a relatively short time. Lovgate.F emerged in March and is now the most common variant in the large family of Lovgate worms. It spreads through email as well as network drives, and may owe its "success" to its combination of numerous worming characteristics borrowed from various predecessors. "Lovgate.F includes some of the dirtiest tricks in the book - dropping files in shared drives, replying to all received mail messages, parsing Internet cache directories for addresses, providing backdoor remote access, and launching brute force password dictionary attacks, among others," said Jamz Yaneza, senior antivirus consultant for TrendLabs, Trend Micro's research and support network. "It could easily re-infect networks if their AV solution does not include thorough cleaning and the reversal of registry modifications."
Network-aware worms can find plenty of room to hide in a network, making them hard to track down and eliminate completely. In addition to using up-to-date antivirus software, enterprises can mitigate these attacks by following some sensible precautions:
* Share specific folders with specific users as required, rather than entire hard disks.
* When sharing a folder, limit share access to specific users only and use a strong password to protect the share
* Use read-only as the default setting for all shared files.
* Administrators should find and close any unused ports.
* Always update operating systems and applications when patches become available.
In other news, the prevalence of a small group of long-standing mixed threats, including Klez.H, Elkern and Nimda.A-O, declined slightly for the second straight month. The old 'classic' threats still hold five spots on the list, from #2 through #6, but their dominance is less absolute than it had been in the preceding 12 months or so. Klez.H, which often topped the list and had always ranked among the top three, slipped to fifth place this month. Does this indicate a trend? "I wouldn't count out a long-running threat like Klez.H just yet," said Jamz Yaneza. "It could easily rebound, but even if it doesn't, its decline will almost certainly be long, slow and lingering." Klez.H and other persistent threats rarely threaten corporate networks now, but remain in widespread circulation among unprotected home users.
Squeezed in between Fizzer and Sobig at number nine on the virus list is an odd entry, PE_CIH.DAM. It describes the results of a damaged or incomplete installation of PE_CIH, also known as Chernobyl. This infamous virus, written by young Taiwanese hacker Chen Ing-hau in 1998, attempts to reformat the hard drive and overwrite the flash BIOS of an infected PC, erasing all data and effectively rendering it useless. CIH caused considerable damage in 1998 and 1999, particularly in Asia and the Middle East, before fading away. Why is it listed here in 2003? Apparently, a slightly modified version of CIH has been making a comeback since 2002, in some cases spreading by "piggy-backing" on copies of the Klez.H worm. PE_CIH can not execute correctly on newer versions of Windows (NT, 2000 or XP), which may explain why damaged or incomplete versions are being detected. On the other hand, a successful and complete execution would leave nothing to be scanned anyway!
Users should worry about the CIH virus only if they are running Windows 95/98 with no antivirus software, or if they haven't updated their virus protection since approximately 1999. In that case, they can scan their computers with Trend Micro's free online virus scanner at http://housecall.trendmicro.com/, or just use an infection as an opportunity to upgrade.
About Trend Micro
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: http://www.trendmicro-europe.com
¹Based on the number of infected computers detected by HouseCall(tm), Trend Micro's free on-line virus scanner for PCs, and by the Trend Micro Control Manager (TMCM), a central management solution for network administrators, as of May 29, 2003 (Source: Trend Micro World Virus Tracking Center)