ITSD Computing and Communications Services News
September, 2002

CCS News Home
Back Issues
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITSD
CIS
ISS
NTD
TEID
  Monthly Virus Update: Worms That Forge Emails Continue to Proliferate

The LBNL Virus Wall continued to be busy detecting and destroying viruses and worms last month. The three most common worms - Klez, Yaha and Nimda -- share a nasty trait - they forge emails and make it appear that the unwitting sender's computer is infected with the virus. However, these worms work by randomly choosing a "From" address from email addresses that the worm finds on the infected computer - that is, the "From" address is forged. This trait has led to some personal misunderstandings at the Lab.

Read more about how the Klez , Yaha and Nimda forge emails.

Once again, the many variants of the Klez worm (5867 instances) were found most frequently. Klez infects systems into which it is downloaded, then uses email addresses from address books and other files in the infected systems to forge names of senders of infected messages it transmits. More information concerning Klez.

The Yaha worm was discovered and eradicated 3676 times last month, up sharply from the 498 instances of this worm in July, and vaulting it into second place. Yaha arrives as an e-mail attachment with a subject such as "Melt the Heart of your Valentine with this beautiful Screen saver," "Fw: Melt the Heart of your Valentine with this beautiful Screen saver," or something else. The attachment can be an scr, a bat, or a pif file named "valentin." The From field is a randomly-selected email address and may not be the legitimate sender because email forgery is, like Klez, a key aspect of this worm/virus. More information about this worm.

Third place goes to the Nimda worm, with 140 instances detected and removed. Nimda is an extremely sophisticated worm that has four different infection mechanisms. See
http://www.lbl.gov/ITSD/Security/vulnerabilities/nimda-background.html for more information about this dangerous worm.

The preponderance of worms and viruses continued to be written to target Windows systems. And the moral of the story remains the same: update anti-virus software and refrain from opening attachments from unknown sources.