[ISN] Chernobyl virus rides Klez's coattails

From: InfoSec News (isnat_private)
Date: Tue May 07 2002 - 23:13:25 PDT

  • Next message: InfoSec News: "[ISN] 'Dr. Chaos' indicted in Wisconsin utility attacks"

    Forwarded from: Christian Wright <cwat_private>
    By David Becker 
    Staff Writer, CNET News.com
    May 6, 2002, 12:30 PM PT
    The Klez worm just keeps on giving. 
    The persistent pest, which made a strong comeback last month in the
    form of the Klez.h variant, is now helping revive the Chernobyl virus,
    according to a new report from antivirus company Symantec.
    The report says that a virus known as W95.CIH.1049, a slight variation
    of the W95.CIH bug dubbed the Chernobyl virus when it began spreading
    four years ago, has been detected in recent infections of the Klez
    worm. The main difference with the new virus is that it's set to
    activate on Aug. 2 of every year, as opposed to the April 26 attack
    date of the original Chernobyl.
    Vincent Weafer, senior director of Symantec's Security Response team,
    said the company began seeing Chernobyl-infected messages last week,
    but they continue to account for only a handful of the thousands of
    Klez infested messages the company sees daily. Weafer said the viral
    bonus wasn't intentional but rather a by-product of Chernobyl-infected
    PCs also propagating the Klez worm.
    "As far as (Chernobyl) is concerned, the Klez worm is just another
    file to infect," Weafer said. "It's quite common to see piggybacking
    effects when you have worms that have been propagating for a long time
    in the world."
    Even though Chernobyl is ancient by virus standards and easily
    detected by almost any antivirus software, Weafer said it's not
    unusual to have bugs still making the rounds years after their debut.
    "When you look back at viruses, you see recurrences," Weafer said.  
    "They can live for many years out in the wild."
    The first version of the Klez worm surfaced early last year, with
    subsequent variations causing damage ranging from moderate to minor.  
    Bug writers hit pay dirt with the Klez.h variant, however, which
    quickly became one of the most active worms ever after it surfaced
    last month.
    Moscow-based security company Kaspersky Labs recently ranked Klez as
    by far the most active e-mail threat in April, responsible for 94.5
    percent of all incidents reported during the month.
    British e-mail screening firm MessageLabs ranks Klez.h as No. 3 on its
    list of all-time most active computer pests, with more than 391,000
    infections intercepted. At current rates of infection, Klez.h should
    surpass the No. 2 bug, BadTrans.b, in a few days. It'll have a long
    way to go, however, to catch the all-time champ, the SirCam worm,
    still going strong with more than 748,000 interceptions to date.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed May 08 2002 - 02:36:46 PDT