Monday, November 28, 2005

10 Most Infamous Worms

Which worms have been the most troublesome over the years? April Goostree, virus research manager at McAfee, offers his/her list of the most destructive worms.

1. LoveLetter: LoveLetter replaces several types of files with copies of the worm, sends copies of an infected HTML (Hypertext Markup Language) document to IRC (Internet Relay Chat) channels, and sends copies of itself to everyone in an infected user’s address book.
2. Nimda: Nimda propagates through email, shared networks, vulnerable IP (Internet Protocol) addresses, backdoors, and web sites, helping it spread quickly, flood systems, and cause DoS (denial of service) attacks. Nimda also can create Guest accounts with Administrator privileges on infected Windows NT and Windows 2000 systems.
3. Code Red: Code Red alters web page content and causes DoS attacks, among other things. In addition, it previously tried to shut down the server administering the White House’s Web Site.
4. SirCam: The SirCam worm propagates through a shared network or imbeds itself in an email attachment. Once activated, SirCam violates the privacy of its victims by attaching itself to random files on a user’s hard drive and forwarding those files to people in the user’s address book.
5. Klez: When the Klez worm runs, it installs code to overwrite files and creates a Registry key to launch the worm whenever the user restarts Windows. Then, every eight hours, Klez searches for other vulnerable systems to attack, but due to a glitch in Klez’ programming, it only searches the diskette drive.
6. Hybris: This worm arrives as an email attachment to a message with a subject line that reads “Snowhite and the seven Dwarfs – The REAL Story!” After a user opens the attachment, Hybris monitors his email program so that each time he sends an email message; Hybris immediately sends a second message to that same recipient by forwarding a copy of the infected Snow White message.
7. Badtrans: This worm replies to unread messages in Microsoft Outlook, and within the replies, it includes a copy of itself, as well as a backdoor Trojan horse. The worm then creates a Registry key that will load the Trojan horse whenever the user starts Windows.
8. Melissa: The Melissa macro virus’ worm component, which helps it propagate rapidly, is what makes Melissa so destructive. When Melissa launches, it sends copies of an email message containing the Melissa attachment to the first 50 people in the infected user’s address book.
9. Magistr: Magistr searches for email addresses in Microsoft’s Outlook and Outlook Express clients, as well as Netscape’s email client. Next, Magistr sends messages containing infected attachments to each email address it finds. Magistr’s payload includes code that erases data from the hard drive and may even erase information from the BIOS (Basic Input/Output System).
10. This worm sends replies to email messages and includes a note in the message body that says, “I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs.” If the recipient opens the attachment, changes specific files by making them only 0 bytes long and then alters shared systems so that they, too, will run when they restart.