New Virus Takes Top Spot in Sophos January Report
- By Scott Bekker
A new virus entered the fray this month and achieved the
number one position in the Sophos
virus report for January 2001.
virus, W32/Navidad-B, is a spin-off of the W32/Navidad e-mail aware worm and
accounted for 20.7 percent of the viruses reported to Sophos. It arrives in an
email message with an attachment called EMANUEL.EXE. Once the attached program
is launched, it displays a dialog box containing the text ";)" and
then attempts to read new email messages and to send itself to the senders'
addresses. The worm copies itself into the Windows system directory with the
filename WINTASK.EXE and changes the registry so that it runs on Windows startup
and before any file is run.
W32/Apology-B continued to be a major problem for IT
administrators, ranking as the second most reported virus in January 2001 after
holding the top spot in December 2000.
A variant of the W32/Apology
virus, Apology-B is a file infecting virus with email-aware worm and backdoor
the virus detects the user sending an email, it will send another to the same
recipient. Apology-32 also attempts to block user access to Web sites with
information about viruses.
the number three position once again was W32/Hybris-B, a worm capable of
updating its functionality over the Internet. W32/Hybris-B consists of a base
part and a collection of upgradeable components, which are stored within the
worm body encrypted with 128-bit strong cryptography.
run, the worm infects WSOCK32.DLL. Once an infected user sends an email, the
worm attempts to send a copy of itself as an attachment to a separate message
to the same recipient.
number four through seven spots were held by VBS/Kakworm, W32/Prolin,
W32/Hybris-C, and VBS/Lovelet-AS, all of which held spots in the December 2000
top 10 virus report.
it did not have near the effect of Navidad-B, there was also another new virus
called W32/Hybris-D that was reported by 2.0 percent of respondents during
January. A variant of Hybris-B, this virus shows many of the same
for the eighth position with Hybris-D was W32/Qaz, a re-entry into the top 10
after not making the list in the December 2000 report.
worm that has backdoor Trojan characteristics, Hybris-D will search for a copy
of NOTEPAD.EXE and rename it to NOTE.COM. The worm then copies itself to the
computer as NOTEPAD.EXE.
time NOTEPAD.EXE is executed, the worm will run and then launch the untampered
version of NOTE.COM to avoid being noticed by the user.
worm makes changes to the system registry in order to execute itself every time
the system is booted. The real danger is that it allows remote hackers to
connect and gain access to the affected computer when it is connected to the
final position was held by W32/Bymer-A. Overall, the top ten viruses accounted
for 76.5 percent of the viruses reported to Sophos in January 2001. – Jim Martin
Scott Bekker is editor in chief of Redmond Channel Partner magazine.