World Gets Caught In Wormy Situation

The email is both a boon and bane, serving as a killer application not only for the normal business executives, but also for deviants such as virus/worm perpetuators.

“According to the ICSA (International Computer Security Association), 87 percent of the viruses/worms are now from emails,” said Anthony Kuo, regional product manager, Asia region, global marketing, Trend Micro Incorporated.

And judging from the current situation, worms are more problematic than viruses.

“A virus might rapidly infect every application file on an individual computer, or slowly infect the documents on that computer … but virus outbreak begins only when we send e-mail document attachments, trade programs on diskettes, or copy files to file servers,” stated in a Symantec’s whitepaper,

“Worms, on the other hand, are insidious because … it spreads itself to many computers over a network, without us doing anything,” it added.

More Lethal Each Time

“Melissa, which surfaced in 1999, can be considered as the first major email hoax; a sort of breakthrough for the virus writer because of speed in which it spreads and the use of a new programming language, visual basis,” said Kuo.

According to F-Secure,, Melissa spreads by e-mailing itself automatically from one user to another. When the virus activates, it modifies a user’s documents by inserting comments from the TV series “The Simpsons”. Even worse, it can send out confidential information from the computer without users’ notice.

Many of the viruses/worms that came after Melissa can be even more malicious as they combine all the lethal characteristics of past viruses/worms and new characteristics of their own.

According to a CNN report, ILOVEYOU, a hybrid virus and worm that hit the world in 2000, works like Melissa in that it propagates itself through emails. But it is also more destructive and destroys and replicates itself by manipulating files, in this case JPEG and MP3 files on a user’s hard drive, like a traditional virus. Where Melissa sends copies to the first 50 addresses, ILOVEYOU copies to all the addresses.

Then came others such as Code Red and Nimda in 2001. The former is a blended threat that launches Denial-of-Service attacks on designated IP address, defaces Web servers and leaves a Trojan horse behind for later execution (as with Code Red II), said Symantec.

Nimda, on the hand, is the first worm to modify existing Web sites to start offering infected files for download. It is also the first worm to use normal end user machines to scan for vulnerable Web sites. This technique enables it to easily reach intranet Web sites located behind firewalls – something worms such as Code Red couldn’t directly do, said F-Secure.

According to the Computer Economics, about $1.1 billion was spent on cleaning up several servers infected with Code Red and inspecting millions more. Another $1.5 billion was attributed to the resulting downtime and lost of productivity of users, support and other staff responsible for assisting end users, IT and customers worldwide. Meantime, the worldwide economic impact of Nimda was US$530 million and 2.2 million systems were infected in just 24 hours.

The ‘wormy’ situation that most of us are struggling with now is with the Klez worm (see Tables 2 & 3).

According to The Newpaper, Klez hides the executable files of programs in your PC and replaces them with a bogus file, which may make the programs unusable. It may also disable some anti-virus programs.

The worm could also arrive with any one of the 120 subject titles such as “congratulations”, “darling”, “garden of eden”, “eager to see you”, “japanese lass’ sexy pictures”. Worst of all, it even disguises itself as a cure with the title, “Worm Klez.E Immunity.”

No One Left Unscathed

When compared to the US, Asia is not any less vulnerable to virus/worm attacks.

Kuo explained: “When it comes to sheer numbers of infections, the US generally leads the pack due to the much higher penetration of computer literacy, computer and Internet usage among the population.” (See Table 1)

But there are no geographical boundaries when it comes to virus/worm attacks because it is very easy for them to spread to anywhere in the world via the Internet. In addition, virus/worm perpetuators are found everywhere in the world, not just the US.

“For instance, the ILOVEYOU virus originated from the Philippines; the CIH (also known as Chernobyl) virus from Taiwan while the AnnaKournikova virus was said to be from Argentina,” Kuo said.

According to Trend Micro, there are already more than 30,000 viruses/worms in existence and the number will proliferate further.

Unfortunately, there isn’t a full-proof method in preventing new viruses/worms from infecting our networks or PCs.

All major vendors such as F-Secure, Symantec and Trend Micro have world-class facilities to test and analyze virus pattern files, deliver fix for viruses and send out alerts to clients once a major breakout is detected. Users are also advised not to open any suspicious looking emails and they are to update their anti-virus software every now and then.

Some vendors even monitor discussion groups to check for any tell tale signs of a would-be virus/worm making its world debut said John Schwarz, president and COO of Symantec. After all, W97M/Melissa was initially distributed in an Internet discussion group called, added F-Secure. It stated that that the virus was sent in a file called LIST.DOC, which contained passwords for X-rated Web sites.

But there is only so much we can do. When ILOVEU and JOKE.STAGES virus hit the world in 2000, all the leading anti-virus solutions were unable to detect and remove them for many hours.

“No one solution can offer a 100 percent guarantee, and in the case of a new virus, the chances are that most anti-virus solutions will be similarly crippled,” said Chua Kim Chuan, director of IS security of Singapore Telecommunications (SingTel), a Trend Micro’s client.

When the ILOVEU virus hit SingTel, it realized that technology alone was not enough. It’s IT security team now spends substantial effort in improving the communications with the end users and local area network (LAN) administrators and share information relating to virus incidents.

It’s LAN administrators island-wide are kept notified by the IT Security team on virus incidents in the organization and are also able to see online the types of viruses that are on the network, or those that are attempting to gain access through floppy drivers or email gateways.

Tougher Deterrents

Tracking down hackers and perpetuators of virus/worm could prove to be a mammoth task but the European Commission has recently proposed to put these cyber criminals behind bars for at least a year. Many, except the would-be virus/worm perpetuators and hackers of course, welcome the law that is still under review.

The US has already taken the lead in this area and has convicted David L. Smith, creator of the Melissa virus, and sentenced him to a 20-month jail term. It’s high time that harsher laws are put in place to discourage, if not totally clamp down, unwarranted activities that affect an enterprise’s and user’s productivity.

Table 1 Shows The Number of Computers Infected In Some Countries By The Various High-Profile Viruses/Worms

Countries Worm.Klez.H (since April 17, 2002)Nimda-AO (since Sept 22, 2001)Code Red (since Aug 6, 2001)VBS_Love Lttr.Be (since Aug 28, 2000)Melissa. A (since Dec 6, 1999Total %
North America90,504304,6663836,81615,742447,76640.32
South America14,1521,22605393,91019,8271.79
Australia/New Zealand6,43571,42033,95528482,0977.39
Total 208,428817,23310154,11130,7511,110,624100

Source: Trend Micro, Incorporated

Table 2 Shows The Top 10 Viruses Infecting Computers In Asia, N.America and Europe In The Last 30 Days

Top 10 Virus, Asia (Past 30 Days) No. of Infected Computers (as of May 7, 2002)Top 10 Virus, North America (Past 30 Days)No. of Infected Computers (as of May 7, 2002)Top 10 Virus, Europe (Past 30 Days)No. of Infected Computers (as of May 7, 2002)
PE_Nimda.A20,115Worm_Gone A58,694PE_Nimda.E46,567

Source: Trend Micro World Virus Tracking Center, 14:15-14:30, GMT+08:00

Table 3 Shows The Top 10 Viruses Infecting Computers In The World In The Last 30 Days

Top 10 Virus, Worldwide (Past 30 Days) No. of Infected Computers ( as of May 7, 2002)

Source: Trend Micro World Virus Tracking Center, 14:15-14:30, GMT+08:00

News Around the Web