The LBNL virus wall eradicated a total of 5,662 instances of viruses and worms last month. The virus wall statistics for June 2003 were a little more interesting than in many previous months, however, because several worms challenged the destructive Klez.H worm's prevalence. Klez.H was once again found and eradicated more than any other virus or worm with 1507 instances, but (for the first time in many months) only by a slim margin.

The new Sobig.E worm was nearly as prevalent with 1,444 instances discovered and deleted by LBNL's virus wall. Sobig.E is a mass-mailing worm that also spreads by connecting to unprotected shares. Not as destructive as Klez.H, Sobig.E nevertheless installs executables that need to be removed and makes Registry changes that need to be undone. If your Windows system becomes infected by Sobig.E, you should download and run Symantec's Sobig.E removal tool. You won't be seeing Sobig.E much anymore, however, as it was programmed to become inactive on July 14, 2003. New variants of this worm are, unfortunately, likely to emerge soon.

Coming in a very close third is the Bugbear.B (including the Bugbear.B-O variant) worm with 1,401 instances detected and eradicated. Like Sobig.E, Bugbear.B spreads via email attachments and unprotected shares. This worm alters certain system executables, changes Registry entries, and plants Trojan horse programs that capture users' keystrokes and allow unauthorized remote access to attackers. Bugbear.B can also steal files from infected systems. The best way to clean Bugbear.B from infected systems is to download and then execute Symantec's Bugbear.B removal tool.

A number of LBNL Windows systems have already been infected by Klez.H, Sobig.E and Bugbear.B. In every case these worms would have been unsuccessful if the owners of the systems had been running updated anti-virus software. There are so many new worms and viruses now that it is essential to update this software several times a week, if not daily. Additionally, closing unprotected shares would have helped immensely. Remember, too, to avoid opening attachments sent by people or organizations that you do not know.

One of the newest worm threats is the Sluter-A worm. This worm scans remote systems for unprotected shares and shares protected by weak passwords. If a share that it finds is unprotected, it connects to the share and then copies itself into the system as msslut32.exe. If the share is passworded, Sluter-A uses a small dictionary of possible passwords to try to gain access to the share. If successful, it copies itself into the system (also as msslut.exe). Once it copies itself, it changes the Registry of the infected system so that it starts whenever the system boots. Clean-up procedures for systems infected by Sluter-A are here.