VirusEye: The MessageLabs Update

1. W32/Yaha.E-mm – 367,158
   
2. W32/Klez.H-mm – 332,343
   
3. W32/SoBig.E-mm – 188,235
   
4. W32/BugBear.B-mm – 108,206
   
5. W32/SoBig.A-mm – 63,076
   
6. W32/Yaha.K!e2a2 – 51,669
   
7. W32/Klez.E-mm – 51,078
   
8. W32/SirCam.A-mm – 37,123
   
9. W32/Yaha.P-mm – 34,994
   
10. W32/Ganda.A-mm – 9,383

Commentary: August 2003
Of late, the virus writers have been focusing on the development of new and unusual ways of using social engineering to entice you into activating their malware.

Mimail, for example, is an exceedingly cunning virus. So much so that even the most virus savvy individuals out there can be duped into opening the file. The virus spoofs the sender address to fool you into thinking that it has been sent by your administrator. Thus, if you worked at The Big Safe Security Company, the e-mail would be from: admin@thebigsafesecurityco.com

The body of the text then continues: "Hello there. I'd like to inform you about important information regarding your e-mail address. This e-mail address will be expiring. Please read attachment for details. Best regards, Administrator."

The attachment is a ZIP file containing an HTML file. This combination is likely to pass through most gateways which are trying to block EXE files. Opening the HTML file uses an exploit to create and run an EXE file – the mass-mailing virus. This mass mails itself by collecting e-mail addresses from your hard drive.

Another growing trend is the business of identity theft. Criminals have been faking company web sites and registering domain names similar to well-known organisations so that users are conned into giving their credit details on the web site and trusting any e-mails (for instance, asking for password confirmation) that appear to have been sent from the domain. The anonymity of the site also acts as a useful medium to disseminate viruses without being traced.

Our advice? Keep an eye out to ensure that e-mails you receive – in particular those where you're being asked to give personal details – are from a genuine source. It could be something as subtle as spotting "-", an abbreviation or simply a wrong spelling.

Last, the MsBlast worm has been causing problems. This virus doesn't spread by e-mail (and thus doesn't show up on our monthly statistics bulletin). Instead, it uses a code exploit to spread between machines. Although anti-virus software can detect and remove the files which this virus creates, the problem will re-occur until such time as the software allowing the code exploit is fixed.

Therefore, for this particular virus it's important to update your anti-virus and operating system software at the same time.

You might also review your firewall configurations (the virus spreads using a port which your organisation might well be able to block off using an existing firewall).