Log in ....Tribune

Monday, February 9, 2004

‘Worming’ up the new millennium
Peeyush Agnihotri

Sandeep JoshiTHE good got better and the bad became ugly. PCs have become better and virus that bedevil PC users have become uglier. Both these computing aspects parallel each other but the last five years of the millennium will be remembered more for virus than major PC breakthroughs.

Virus celebrated their 20th birthday in November 2003. Malicious programmers, riding the WWW wave, have done their best to make surfing a pain in the neck. In fact, such malicious programs have gone more sophisticated and now there are almost 60,000 viruses in existence.

As Windows became the new operating system, virus writers found a fresh turf to play on. ‘Macro’ viruses that exploited the crude utility writing program in MS Word started surfacing and in 1999, Melissa broke new grounds when a combination of ‘macro’ virus and a malicious program, which trampled the address book of Microsoft Outlook to e-mail itself to new victims, surfaced.

The creator of the Melissa, David Smith, was later caught and convicted but he gave others an idea. The success of Melissa was largely due to the fact that the Net was becoming hugely popular.

So why not piggyback on the WWW, virus writers must have thought and post Melissa, the computer world was never the same. Every year, slew of virus surface and every year of this millennium is dedicated to at least one virus that wreaked havoc.

The Year of Lovebug

Known to have been created by Onel de Guzman, a Filipino computer school dropout and a self-proclaimed hacker, the virus is known to have incapacitated the Pentagon as well as the British Parliament. Also known as I-Worm.LoveLetter and ILOVEYOU, this VBScript worm spreads through e-mail as a chain letter. It uses the Outlook e-mail application to spread. The mail subject is "ILOVEYOU" and the body of the message says: kindly check the attached LOVELETTER . Once the attachment is opened, the virus replicates and sends e-mail to all e-mail addresses listed in the address book. The virus also spreads itself via the IRCs and infects files with extensions vbs, vbe, js, sje, css, wsh, sct, hta, jpg, jpeg, mp3, mp2. The executable part the LoveLetter worm downloads from the Web is a password-stealing trojan. LoveLetter was detected globally on May 4, 2000.

The Year of Nimda

The virus that comes in five ‘flavours’ — plain, B, C, D and E — was unleased on September 18, 2001 and from thereon spread quickly. Also known as W32/Nimda@mm, I-Worm.Nimda, Readme and Readme.exe, the virus is a complex one. It spreads itself in attachments and affects Windows OS users. Nimda was the first virus that had the capability to modify the existing Websites, which in turn started offering infected files for download. It also had the ability to reach intranet sites located behind firewalls.

The Year of Klez

Klez has nearly a dozen variants. The virus created havoc in its various avtaars for most of 2002 starting February. Alleged to have originated from UAE, the virus e-mails itself from infected machines using a bogus ‘From’ address randomly plucked from all e-mail addresses stored on an infected computer’s hard drive or network. Recipients of the virus-laden e-mails, receive newsletters and mailing lists that they never subscribed to. Klez spreads via the Internet attached to infected e-mails. The worm itself is a Windows PE exe file about 57-65 KB in length, written in Microsoft Visual C++. The worm uses an Internet Explorer security breach to start automatically when an infected message is viewed. In addition to spreading in the local network and e-mail messages, the worm also creates a Windows .exe file with a random name starting with "K" (i.e., KB180.exe), in a temporary folder, writes the "Win32.Klez" virus in it, and launches the virus.

The Year of SoBig

Sobig is a mass-mailing virus found first on January 9, 2003. It now has seven variants. This virus is capable of sending spam with forged sender information. The worm contains a payload that activates on particular days and downloads some programs to run them on the infected computer. The sender address is always ‘big@boss.com.’ It is a Windows PE exe file, written in Microsoft Visual C++, compressed by UPX. The file size is 50 KB in compressed form, which doubles when decompressed. While installing the worm copies itself to the Windows directory as msccn32.exe and registers itself in the system registry auto-run keys. To send out infected messages the worm uses a direct connection to the default SMTP server.

The Year of MyDoom

Just one and a half month into the new year and already 20 virus have hit the Netizens. But none can beat the intensity of MyDoom, the virus that struck on January 26, 2004. MyDoom that has two variants A (aka Novarg or Shimgapi) and B. The former led to the shutdown on SCO site and the latter is eyeing Microsoft. No wonder both companies are offering $ 2,50,000 as reward to whoever lets them know about the virus writer. Fingers are being pointed towards Russia as the country of origin and the name "Andy" left in the code by the author of the MyDoom virus is the only clue on which the experts are working upon. The virus spreads on the Internet by attaching itself to e-mail error messages, many of which contain the subject line "test." The text of the worm reads: "The message contains Unicode characters and has been sent as a binary attachment." The message really contains a 30 KB file that, when launched on computers running Microsoft’s Windows operating systems, can send out 100 infected e-mail messages in 30 seconds to addresses stored in the computer’s address book and other documents with the extensions names .exe, .scr, .cmd, .pif and .zip. With three million computers affected worldwide at the estimated economic cost of # 30 million, 2004 is already MyDoom year.

Unless, of course, new ‘kid’ surfaces in the remaining 10 months.