Sobig worm variants dominant on vendors

Despite patches being available for the most threatening worms slithering around the Internet today, variants of the Sobig worm still managed to creep into more systems than any other virus during the month of July, according to two lists compiled by Sophos Inc. and Central Command Inc.

Sophos’ list of most frequently occurring viruses included Sobig.E, accounting for 47.8 per cent of reported attacks by its customers. Other Sobig variants such as Sobig.A, B, and D also appeared on the list at fourth, fifth and eighth place, accounting for 2.7 per cent, 0.9 per cent, and 0.7 per cent respectively. The company publishes a top ten list each month.

Sobig.E placed second at 17.9 percent on Central Command’s “Dirty Dozen” list of the top 12 most prevalent viruses; Sobig.A in fourth place at 6.6 per cent and Sobig.C at 4.2 per cent of reported attacks.

“What’s interesting about the Sobig virus is that each variant – if you look at the code inside the virus – has a built-in time bomb. It stops being operational after a certain date,” explained Chris Belthoff, senior security analyst at Sophos, based in Lynnfield, Mass. “It almost looks like the virus writer was using [this strategy] to test different methods of attacking systems.”

He said that as soon as one variant expires, a new variant appears which attacks and exploits systems differently than its predecessors.

The Bugbear.B worm also featured prominently accounting for 17.6 per cent of reported attacks by Sophos’ users and for 17.6 per cent of Central Command’s clients.

The Klez worm also hasn’t disappeared from the scene yet, topping Central Command’s list at 19.2 per cent and third at 5.9 per cent on Sophos’ list – it has been on Sophos’ top ten list for the past 18 months.

Steven Sundermeier, product manager at Central Command Inc. in Medina, Ohio, said that the Klez worm has shown a vast amount of staying power and has been included among Central Command’s Dirty Dozen for 12 out of the past 15 months.

While the good news is that there have been no significant new viruses appearing in the last month, the bad news is that people still aren’t taking the initiative to upgrade their systems and that today’s viruses employ more attack methods and different ways of proliferating, according to the security firms.

Both Sundermeier and Belthoff said there is still a problem of home users not deploying adequate virus protection on their computers, and since many worms and viruses are spread via e-mail, home users in many cases are stretching out the lives of these worms.

It’s not only e-mail that is responsible for proliferating these viruses, but virus writers have been jumping on the peer-to-peer (P2P) applications such as instant messaging (IM) and file-swapping programs such as Kazaa.

In addition, virus writers are now becoming more creative turning their work into what Belthoff refers to as blended threats – that means the virus tries multiple methods to break systems down. These include trying to disable antivirus programs as well as attempting to log user keystrokes in an effort to obtain user names and passwords.

However, it’s not just viruses that cause system bottlenecks and grief for IT personnel. Internet hoaxes can also be damaging, causing users to delete pertinent files such as the JDBMGR file, which accounted of 12.1 per cent of reported hoaxes by Sophos’ clients. It is a particular pain for IT managers because users will delete the file and then IT will have to waste valuable time fixing it, Belthoff said.

Not only can hoaxes cause hysteria among users, but also they often encourage mass e-mailing, according to Belthoff. For example, the number one ruse this month, accounting for 14.1 per cent of reported hoaxes, has been dubbed the Bill Gates fortune hoax. People are encouraged to add their name and e-mail address to a list and send the e-mail to as many people as possible. The supposed payoff is that Bill Gates will reportedly share his wealth with the individuals on the list.

Another hoax prevalent in July included the Hotmail Hoax at 10.8 per cent, which is an e-mail telling users that their Hotmail accounts will be deleted unless they send this e-mail to all the Hotmail users they know. Belthoff said the scam was devised by spammers in attempts to determine which Hotmail accounts are active.

For more information about Sophos visit Central Command is online at