Donate SIGN UP

What were the most popular computer viruses this year

00:00 Mon 10th Dec 2001 |

Asks Jemima

A. A recent list compiled by computer security company Sophos rated the following viruses in its top ten - based on the number of calls to its helpline: Nimda - 27.2%, Sircam - 20.3%, Magistr - 12%, Hybris - 6.2%, Apology - 3.8, Homepage - 3.6%, Kakworm - 3.1%, Kournikova - 2%, BadTrans - 1.8%, and Navidad - 1.8%.

Q. What type of virus are these or how can I get rid of them

A. They are a mixture of worms and Trojan horses.

Nimda: It is a very powerful worm virus, that modifies web documents (e.g. .htm, .html, and. asp files) and some executable files found on the systems it infects, and duplicates itself creating numerous copies of the virus on your system under various file names. It can infect any systems running Microsoft Windows 95, Windows 98, Windows ME, Windows NT and Windows 2000. Servers running Windows NT and Windows 2000 are also vulnerable.

Nimda will usually arrive as an email in two parts. The first part has been identified as MIME type "text/html" by CERT (the Computer Emergency Response Team (CERT) at the Carnegie Mellon University in the US monitors all viruses and informs users on how to combat them), but to you and me that just means that an email will appear in your inbox that will appear to contain no content or text. A second email will then arrive (known as a MIME type "audio/x-wav") carrying a base 64 encoded attachment identified in the subject line of your email with the suffix readme.exe. All other content in the subject line of an email can vary. You can identify it however, by the size of the attachment, it will always be 57344 bytes.

If you are running Microsoft Internet Explorer version 5.5 or earlier the HTML mail on your system will automatically run the enclosed attachment and infect your machine with the worm, if you have a later system the worm will be triggered by opening the attachment.

A removal patch is available from: http://www.microsoft.com/technet/security/bulletin/MS01-020.asp

Sircam: Sircam is a worm virus that propagates via email using SMTP commands. It sends copies of itself to all addresses listed in an infected user's address book and in temporary Internet cached files. It arrives with a random subject line, and an attachment by the same name. Sircam also propagates via shared network drives.

Sircam arrives as an email attachment with 2 extension names i.e FNAME.EX1.EX2. It arrives in either English or Spanish and reads:

Hi! How are you I send you this file in order to have your advice. See you later. Thanks.

An attachment to either the first or second email contains the worm virus, which when opened copies the worm to files on your PC. It then sends emails to all the addresses in your address book. Instructions on removing this virus are available from

www.symantec.com/avcenter/venc/data/[email protected] and www.europe.f-secure.com/v-descs/sircam.shtml.

Magistr: is a polymorphic virus from Sweden that is capable of mass mailing itself to addresses that it gathers from Outlook/Outlook Express mail folders (.dbx, .mbx files), the sent items file from Netscape, and Windows address books (.wab). The email message may have up to two attachments, and it has a randomly generated subject line and message body. Magistr may send more than one .exe file as an attachment, and may also send non-infected attachments. Magistr's code is encrypted, and uses anti-debugging techniques to avoid detection. Magistr also contains a destructive payload. Instructions on removing this virus are available from www.symantec.com/avcenter/venc/data/[email protected].

Hybris: is also known as the Snow White and Seven Dwarfs virus. It arrives via email from Hahaha, the subject line reads Snowhite and the Seven Dwarfs - The REAL story! And it carries an attachment that can be identified as one of the following: sexy virgin.scr or joke.exe or midgets.scr or dwarf4you.exe. It reactivates itself every full moon, when it will resend attachments to your address book. Instructions on removing this virus are available from www.symantec.com/avcenter/venc/data/w95.hybris.gen.html and www.pchell.com/virus/hybris.shtml

Information on removing the other viruses in Sophos's top ten is available from the following websites:

Apology: www.sophos.com/support/faqs/w32apology.html and www.norman.no/virus_info/w32_mtx.shtml.

Homepage: www.symantec.com/avcenter/venc/data/[email protected]

Kakworm: www.pchell/internet/kakworm.shtml and http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm(Microsoft patch).

Kournikova: www.5star-shareware.com/avc/vlist/anna.html and www.pchell.com/virus/annakournikova.shtml

BadTrans: http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

Navidad: www.symantec.com/avcenter/venc/data/w32.navidad.fix.html and www.mcafee.com/anti-virus/viruses/Navidad/default.asp cid=1956

If you have any other Internet & Technology related questions, please click here

By Karen Anderson

Do you have a question about Technology?