Top viruses, worms and malware in 2006

[Marc]

From Panda Software. NOTE: Panda Software is its self an anti-virus software maker and is, as such, biased. Obviously it's i their interest (as it is with Symantic and other anti-virus software companies).

Quote:

In Reply to Parent Post by Panda

Top viruses, worms and malware in 2006

As it does every year, Panda Software is publishing its annual list of those malicious codes which, although they may not have caused serious epidemics, have stood out in one way or another:

- The most moralistic. This award goes to the spyware Zcodec which, among other actions, monitors whether users access certain web pages with pornographic content. This may simply be a way of determining whether the user is a frequent visitor to these types of pages in order to send personalized advertising. On the other hand, perhaps the author of the spyware just has voyeuristic tendencies.

- The worst job applicant. The Eliles.A worm sends out CVs all over the place. It even sends them out to users’ cell phones. It would seem that it has little confidence in its own job prospects.

- The most sensationalist. Sensational headlines have always made an impact, now they are even being used by viruses. Of all those that appeared in 2006, Nuwar.A wins hands down with its declaration of the start of the Third World War.

- The most tenacious. They say that all good things come to an end. It's a shame that the creators of the Spamta worms haven’t heard the saying. Otherwise, they might have stopped sending wave after wave of almost identical variants of this malicious code.

- The most competitive. Once the Popuper spyware has installed itself on a computer, it runs a pirate version of a well-known antivirus application. Far from trying to do the user a favour, it is actually trying to eliminate any possible rival from the computer. It seems that the fight for supremacy has also reached the world of Internet threats.

- The most diligent. In general, phishing messages are aimed at gathering confidential information such as credit card numbers or account access details in order to steal money. However, this isn't the case with BarcPhish.HTML, which goes much further, collecting information including expiry dates, CVVs (Card Verification Value), last names, membership numbers, five-digit codes, account numbers, etc. No doubt the creator was thinking “better too much than too little…”

- The biggest snooper. In this case, it was not a difficult choice. WebMic.A is a malicious code that can record sounds and images, using a microphone and WebCam connected to the computer. Of course this is not the sort of uninvited guest you would like to have on your PC.

- The most mischievous. Nedro.B is a worm that seems to get bored after it has infected a computer. Perhaps that's why it decides to change icons, prevent access to tools, hide file extensions, delete options from the Start menu... and basically cause chaos. Maybe this seems entertaining to someone, but it certainly isn't for the users.

- The most chaste. Malicious codes that spread across P2P networks use enticing filenames in order to get users to download them voluntarily on to their computers. For this reason, many of these names have pornographic connotations. However, among the more than 37,000 different names used by FormShared.A, none of them make any reference to sex. That’s some kind of record.

- The most archaic. Seemingly there are still some retro virus creators around. Whoever created the DarkFloppy.A worm appears not to have heard of e-mail, instant messaging or P2P systems, as the propagation methods they've chosen to spread this malicious code is… floppy disks. Not much chance of a massive epidemic then, is there?

- The most promiscuous. This title goes without doubt to Gatt.A. This malicious code can infect any platform that it is run on: Windows, Linux, etc.

- The most deceitful. SafetyBar supposedly offers security information and anti-spyware downloads. However, the problem is that once downloaded, these programs then warn the user that the computer is infected by non-existent threats.

[Ajit Basrur]

Hi Marc,

I know that I am asking a silly question.

Just curious - who gives names to these virus and how are they named ?

[Marc]

I had no idea who names them or how, but I found this at ZDNet from January 9, 2002:

Quote:

In Reply to Parent Post by ZDNet

Over the holidays, a single Internet worm made headlines, yet you may never have seen or heard its proper name: w32.Maldal@mm. Like a lot of other journalists, I opted to use the more popular names of Reeezak and Zacker. Not even the antivirus companies were consistent, as they referred to Maldal as Hallad, KeyLuc, Reeezak, and Zacker.

So how are you supposed to know what's attacking your system? Good question. To answer it, let's look at how a virus gets its name.

Computer viruses are assigned names according to a convention adopted by the Computer Antivirus Research Organization (CARO) in 1991. The CARO Naming Convention is the result of a committee consisting of virus experts Fridrik Skulason, Alan Solomon, and Vesselin Bontchev. Antivirus companies use the same basic convention, though they have tacked on their own prefixes and suffixes.

THE FIRST PART of the virus name designates what type of troublemaker it is--Trojan horse, Visual Basic script, or 32-bit Windows virus. This is followed by the specific name of the virus family, the group name, any known major or minor variations, and whether or not it's an e-mail virus or a mass-mailing virus. Hence we arrive at something that looks like this: W32.Anyvirus.A@mm. Translation: Anyvirus variation A is a mass-mailing, 32-bit Windows virus.

Back in mid-December 2001, a rather minor worm appeared worldwide. Kaspersky Labs called it Hallad and Sophos called it Zacker, while the rest of the antivirus companies named it after a file the active virus created: maldal.exe. Usually, antivirus companies will announce a virus under one name, then change the name to conform with the industry convention. To stay on top of it all, antivirus software maker McAfee provides a list of all the known names of a given virus and the antivirus company naming it--it's a great resource.

NEEDLESS TO SAY, versions A and B of the Maldal worm did not produce spectacular results. They were large, about 80KB each, and contained bugs. Had it worked, the original version would have created countless bogus files named Sharoon (sic), Bush, and BinLaden, which would have shut down an infected computer. The second variation would have attempted to remove your antivirus software. Apparently learning from his or her mistakes, the virus author retooled and re-released Maldal version C just in time for the holidays.

Reeezak, as Maldal.C was first known, appeared to be unrelated to any previous virus, thus the initial designation: w32.Reeezak.A@mm. Within a few hours, however, further research showed that it was a solid variation of the Maldal family: It attempted to fill infected computer's hard drives with politically-themed bogus files and delete the system's antivirus software. Version C was slimmer than A or B (only 36KB) and invoked clever social engineering--it arrived as a holiday-themed e-mail. This version spread.

Maldal.C also redirected an infected computer's Internet Explorer browser to a Web page infected with a VBS script. Once loaded on a computer, the VBS script sent out a second round of e-mails, which were also politically themed. Whoever wanted Maldal to succeed apparently wanted their political opinions to spread as well.

AROUND THE START of the new year (Jan 2002), yet another Maldal variation appeared. Popularly known as Zacker, Maldal.D is smaller still than A, B, or C (27KB); it fills the hard drive of an infected computer with bogus files, deletes the system's antivirus software, redirects Internet Explorer browsers to a VBS-script infected page, and deletes various file extensions. Gone, however, were the political messages--this version is meant to harm computers only, and may have been created by someone other than the author of the previous versions. Subsequent variations (E, F, G, and H) appear to be very minor variations of Maldal.D.

Though it sometimes gets confusing, I endorse the use of the popular names in headlines--for example, calling Maldal.C Reeezak--because it's easier to remember. I'd rather you hear a catchy name and finally get interested in using antivirus software than think a new virus is just a variation of an older one--and that you don't have to worry about it. After all, you can always turn to AnchorDesk and other ZDNet publications to get the scoop on the details later.