News

New Virus Takes Top Spot in Sophos January Report

• By Scott Bekker
• 02/01/2001

The virus, W32/Navidad-B, is a spin-off of the W32/Navidad e-mail aware worm and accounted for 20.7 percent of the viruses reported to Sophos. It arrives in an email message with an attachment called EMANUEL.EXE. Once the attached program is launched, it displays a dialog box containing the text ";)" and then attempts to read new email messages and to send itself to the senders' addresses. The worm copies itself into the Windows system directory with the filename WINTASK.EXE and changes the registry so that it runs on Windows startup and before any file is run.

W32/Apology-B continued to be a major problem for IT administrators, ranking as the second most reported virus in January 2001 after holding the top spot in December 2000. A variant of the W32/Apology virus, Apology-B is a file infecting virus with email-aware worm and backdoor characteristics.

When the virus detects the user sending an email, it will send another to the same recipient. Apology-32 also attempts to block user access to Web sites with information about viruses.

Holding the number three position once again was W32/Hybris-B, a worm capable of updating its functionality over the Internet. W32/Hybris-B consists of a base part and a collection of upgradeable components, which are stored within the worm body encrypted with 128-bit strong cryptography.

When run, the worm infects WSOCK32.DLL. Once an infected user sends an email, the worm attempts to send a copy of itself as an attachment to a separate message to the same recipient.

The number four through seven spots were held by VBS/Kakworm, W32/Prolin, W32/Hybris-C, and VBS/Lovelet-AS, all of which held spots in the December 2000 top 10 virus report.

Although it did not have near the effect of Navidad-B, there was also another new virus called W32/Hybris-D that was reported by 2.0 percent of respondents during January. A variant of Hybris-B, this virus shows many of the same characteristics.

Tied for the eighth position with Hybris-D was W32/Qaz, a re-entry into the top 10 after not making the list in the December 2000 report.

A worm that has backdoor Trojan characteristics, Hybris-D will search for a copy of NOTEPAD.EXE and rename it to NOTE.COM. The worm then copies itself to the computer as NOTEPAD.EXE.

Each time NOTEPAD.EXE is executed, the worm will run and then launch the untampered version of NOTE.COM to avoid being noticed by the user.

The worm makes changes to the system registry in order to execute itself every time the system is booted. The real danger is that it allows remote hackers to connect and gain access to the affected computer when it is connected to the Internet.

The final position was held by W32/Bymer-A. Overall, the top ten viruses accounted for 76.5 percent of the viruses reported to Sophos in January 2001. – Jim Martin