Sophos: Klez worm is simply the best in 2002

In a year that saw a number of high profile virus and e-mail worm outbreaks, the Klez worm topped the charts and was the most frequently occurring virus in 2002, according to statistics released Wednesday by antivirus company Sophos PLC.

Klez, which first appeared in the waning months of 2001, accounted for 24 percent of all viruses reported to customer support representatives at the UK antivirus company in 2002, Sophos said.

The worm, which has a number of variants, exploits a vulnerability in Microsoft's Outlook and Outlook Express and is unleashed when users open or even preview an e-mail message carrying the worm.

Klez also inserts the virus W32.ElKern.3326 on infected machines.

The worm has exhibited a knack for survival, steadily infecting new users more than a year after its initial appearance and despite the almost simultaneous release of software patches and antivirus signatures designed to thwart it, according to Chris Wraight, a technology consultant at Sophos.

But Wraight says the reasons for Klez's success in 2002 have less to do with the design of the worm than with the fallibility of humans who fail to update their antivirus software to protect against it.

"A lot of the users who got infected (with Klez) were home users who, for whatever reason, didn't update their antivirus software," Wraight said. "Maybe the antivirus software came with their computer, but they didn't realize that they have to sign up for the subscription service to get updates."

Still, the persistence of Klez sets it apart from its predecessors, such as LoveBug, which dropped from visibility soon after it first appeared, Wraight said.

Slightly behind Klez on Sophos' list of the top ten viruses was the Bugbear worm, which came on strong with 17 percent of all incidents, having only surfaced in October.

Reported incidents of that worm have fallen off sharply in recent weeks, however, and Wraight said that he does not expect Bugbear to have much visibility in 2003.

Among the new virus trends Sophos identified in 2002 was the use of so-called 'sender-forging,' in which legitimate e-mail addresses are swapped in to replace the address of the real sender of the worm.

Sender-forging adds to the confusion that often surrounds the origin of a worm outbreak and can often foster ill will between worm recipients and innocent companies or individuals whose e-mail address was co-opted by the worm, Wraight said.

In the case of the Klez-H variant of the Klez worm, for example, e-mail addresses belonging to a number of prominent antivirus companies including Sophos were swapped in as the sender address for e-mails containing the worm. That prompted a number of angry calls and e-mails from individuals who became infected after opening the e-mail messages, according to Wraight.

Those types of tricks -- often referred to as 'social engineering' -- will continue to be used and continue to work in 2003, with virus writers also using bait such as pictures of music and film stars and politicians to entice people to open file attachments containing viruses, Sophos said.

"Social behavior being what it is, those tricks are going to continue to work. Even though we encourage people not to click on attachments, they still do it. It's still going to happen," Wraight said.

With the continued growth in the use of Microsoft's Windows operating system, Wraight said that so-called Win32 viruses and worms targeting that company's products will continue to proliferate.

"Virus writers are writing for the most common and most connected platforms. They travel the fastest and farthest," Wraight said.

In addition, most virus-writing kits that streamline the creation of new viruses are written for the Windows platform, according to Wraight.

Worms targeting instant messaging applications such as America Online's AOL Instant Messenger will continue to be a threat in 2003, according to Sophos. Viruses written in new languages such as Microsoft's C# are also possible, the company said.

But Wraight was skeptical that viruses targeting the growing number of mobile devices and personal digital assistants (PDAs) would surface in the next year.

"I think it's probably not an issue until 2004. The connectivity isn't there yet and the devices themselves aren't capable of it," Wraight said.

As with other viruses targeting traditional computers, Wraight said that keeping the desktop antivirus software up to date on computers that synchronize with PDAs is crucial to preventing the outbreak on that platform as well.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?