You guessed it -- WORM_KLEZ.H with 4,981 instances and WORM_YAHA.G with 660 instances placed first and second, respectively, as the most frequently detected and eradicated viruses trying to make their way through the LBNL virus wall. Several new worms surfaced, however.

One of these new worms is the Sobig (also called W32.Sobig, WORM_SOBIG.A, and W32.Sobig-A@mm) worm, which uses email and shares to infect systems that it finds. The Sobig worm sends itself to all the addresses it finds in .htm, .html, .txt, .eml, .wab, and .dbx files. The infected email message in which Sobig arrives indicates that the sender is big@boss.com and that the subject is "Re: Document," "Re: Sample," "Re:Here is that sample," or "Re: Movies." The attachment is usually called "Untitled1.pif," "Document003.pif," "Movie_0074.mpeg.pif," or "Sample.pif." When it infects a system it creates a copy of itself in the Windows folder of the infected system, then launches a process that runs the worm and then creates an entry in the Windows Registry to allow the worm to run again the next time the system starts. Although Sobig causes little damage, a new version of this worm plants a Trojan program named "Backdoor.Delf" that allows attackers to gain remote access to any system it has infected. Additionally, this worm sends a message to an address at pagers.icq.com, most likely to alert the author of this worm of the systems it has breached.

Another new worm, W32.Lirva.A (also called "Win32.Lirva.A, "WORM_LIRVA.A, W32/Avril-A, and W32/Lirva.b@MM"), is also infecting Internet-connected Windows systems. This worm spreads via email, but can also propagate itself via KaZaA, IRC, and ICQ, as well as by connecting to open (unpassworded and universally writeable) shares. It tries to exploit a Microsoft Outlook vulnerability that allows an infected attachment that the mail client receives to run on the recipient's system if the file is read or previewed. Lirva.A additionally tries to halt anti-virus and personal firewall software on the compromised system. Just to add to the trouble, this worm sends any cached dial-up passwords it finds in Windows 9X/Me systems to the worm's author. On the 7th, 11th, and 24th days of the month, Lirva.A connects the compromised system's browser to a Web site (www.avril-lavigne.com) and displays graphic animation sequences on the inected system's desktop. Livra.A's damage is moderate and this worm is widely distributed.

Still another new worm called the "Iraq oil worm" (also known as "Diatrix," "W32/Lioten," "W32.Lioten," and "I-Worm.Liotenis") is also spreading. It exploits open shares on systems running the Microsoft NT, 2000, and XP operating systems. This worm spreads by searching the Internet for computers with file sharing enabled. The worm randomly creates IP addresses to locate a new victim to which to connect. This worm then launches a brute force password attack to try to infect any system that responds to it. If the attack works, the worm copies itself into the infected computer, inserting the worm code in the system32 directory. This worm then creates a start-up process such that the worm will run every time the victim system starts. Although damage caused by the worm is minimal, cleaning up after an infection by the "Iraqi oil worm" can be tedious.