Sophos: Klez worm is simply the best in 2002

In a year that saw a number of high profile virus and e-mail worm outbreaks, the Klez worm topped the charts and was the most frequently occurring virus in 2002, according to statistics released Wednesday by antivirus company Sophos PLC.

Klez, which first appeared in the waning months of 2001, accounted for 24 percent of all viruses reported to customer support representatives at the UK antivirus company in 2002, Sophos said.

The worm, which has a number of variants, exploits a vulnerability in Microsoft's Outlook and Outlook Express and is unleashed when users open or even preview an e-mail message carrying the worm.

Klez also inserts the virus W32.ElKern.3326 on infected machines.

The worm has exhibited a knack for survival, steadily infecting new users more than a year after its initial appearance and despite the almost simultaneous release of software patches and antivirus signatures designed to thwart it, according to Chris Wraight, a technology consultant at Sophos.

But Wraight says the reasons for Klez's success in 2002 have less to do with the design of the worm than with the fallibility of humans who fail to update their antivirus software to protect against it.

"A lot of the users who got infected (with Klez) were home users who, for whatever reason, didn't update their antivirus software," Wraight said. "Maybe the antivirus software came with their computer, but they didn't realize that they have to sign up for the subscription service to get updates."

Still, the persistence of Klez sets it apart from its predecessors, such as LoveBug, which dropped from visibility soon after it first appeared, Wraight said.

Slightly behind Klez on Sophos' list of the top ten viruses was the Bugbear worm, which came on strong with 17 percent of all incidents, having only surfaced in October.

Reported incidents of that worm have fallen off sharply in recent weeks, however, and Wraight said that he does not expect Bugbear to have much visibility in 2003.

Among the new virus trends Sophos identified in 2002 was the use of so-called 'sender-forging,' in which legitimate e-mail addresses are swapped in to replace the address of the real sender of the worm.

Sender-forging adds to the confusion that often surrounds the origin of a worm outbreak and can often foster ill will between worm recipients and innocent companies or individuals whose e-mail address was co-opted by the worm, Wraight said.

In the case of the Klez-H variant of the Klez worm, for example, e-mail addresses belonging to a number of prominent antivirus companies including Sophos were swapped in as the sender address for e-mails containing the worm. That prompted a number of angry calls and e-mails from individuals who became infected after opening the e-mail messages, according to Wraight.

Those types of tricks -- often referred to as 'social engineering' -- will continue to be used and continue to work in 2003, with virus writers also using bait such as pictures of music and film stars and politicians to entice people to open file attachments containing viruses, Sophos said.

"Social behavior being what it is, those tricks are going to continue to work. Even though we encourage people not to click on attachments, they still do it. It's still going to happen," Wraight said.

With the continued growth in the use of Microsoft's Windows operating system, Wraight said that so-called Win32 viruses and worms targeting that company's products will continue to proliferate.

"Virus writers are writing for the most common and most connected platforms. They travel the fastest and farthest," Wraight said.

In addition, most virus-writing kits that streamline the creation of new viruses are written for the Windows platform, according to Wraight.

Worms targeting instant messaging applications such as America Online's AOL Instant Messenger will continue to be a threat in 2003, according to Sophos. Viruses written in new languages such as Microsoft's C# are also possible, the company said.

But Wraight was skeptical that viruses targeting the growing number of mobile devices and personal digital assistants (PDAs) would surface in the next year.

"I think it's probably not an issue until 2004. The connectivity isn't there yet and the devices themselves aren't capable of it," Wraight said.

As with other viruses targeting traditional computers, Wraight said that keeping the desktop antivirus software up to date on computers that synchronize with PDAs is crucial to preventing the outbreak on that platform as well.