• PC World
• » Security

Worms and Viruses: The Nasties Evolve

The year 2002 marked a sharp uptick in the volume of new virus discoveries: Researchers and antivirus outfits cataloged more than double the number of new viruses recorded in 2001. And as 2003 rolls along, the breakneck pace of new virus and worm development shows no signs of abating. Meanwhile, the most persistent and resilient nasties of 2002, such as Klez, still plague our in-boxes and infuriate our associates over the Internet.

Virus writers continue to find new and ever-more-clever ways to deliver malicious code to our PCs efficiently and with potentially devastating consequences. Tantalizing e-mail attachments are still the most favored vector for attacks, but some worms target any widely used program that lets you download files, such as an instant messaging application or a file sharing tool.

Vincent Weafer, senior director at Symantec's Security Response Center, says virus makers are using worms and viruses as a way to plant Trojan horses that in turn allow their creators to exercise full control over your computer, surreptitiously record passwords you type, or steal other information you might value.

Smarter, Quieter Intruders

Historically, viruses targeted only a single vulnerability--a security hole in your copy of Internet Explorer or in your Outlook Express application, for instance.

The Slammer/Sapphire worm attack is a well-known example. It took advantage of a widely known security hole; a patch had been made available for it months earlier, but many computer operators (including some at Microsoft) had not applied the fix.

"It's no longer enough to install an antivirus program and personal firewall," Weafer says. "Users need to keep current with [operating system] patches, configure browser security settings to high, and turn off application features they don't use." Experts recommend that you turn off Windows file sharing (in the Networking control panel) if you don't need to use it, and that you use your firewall to block file sharing on TCP ports 139 and 445. (For more suggestions to lower your risk, see this month's Internet Tips.)

Newer viruses are getting more sophisticated. While the infamous Klez worm relied on Outlook Express to reproduce, Weafer says, worms with built-in mail engines are the future direction of malicious code. Such variants spread independently of e-mail programs, and they can scout for victims anywhere on your hard drive, looking for addresses even in the Web browser cache.

Stealth is becoming a watchword for virus writers. With the notable exception of Slammer, worms and viruses increasingly do their dastardly deeds quietly. When viruses infect lots of computers in a short time, they are quickly detected and eliminated. The new breed waits patiently to strike at new victims. But don't confuse a low-key approach with a low risk: Your infected machine can still be used to plunder your data, attack other PCs, and wreak havoc on a network of connected computers in a home or office.

Home users who think the data on their hard drive is too insignificant to merit a hacker's attention may not realize that the computer itself is often a more attractive target than its contents.

Some intruders take control of PCs for use as a "dead drop" for potentially incriminating data, Weafer says. In these instances, the hacker gains access to a number of PCs and uses each victim's computer as a holding tank for illegal material--such as child pornography or a company's stolen files or passwords. Operating from a PC free of damaging evidence, the hacker can view the files on the victim's machine at a convenient time and in relative safety. If the victim has a broadband connection and leaves the PC powered on day and night, all the better. Simply shutting off your PC when you're not using it is probably the easiest thing you can do to avoid becoming a victim.

Pop Star Virus

Viruses and worms that activate themselves are still in the minority. Most worms require you to open a file attachment or preview its e-mail message before they become active and infect your PC. One recent example: The Avril Lavigne worm (named after the 17-year-old Canadian pop sensation) made its way into the less auspicious top 10 virus charts in January. It spreads via e-mail, IRC, instant messaging, and file sharing networks, scanning for a wide range of vulnerabilities on your system.

Opening the Lavigne worm's executable file or previewing its e-mail message in Outlook Express is all it takes to infect yourself. Its core program, a block of code named Lirva, disables antivirus programs, installs the BackOrifice 2000 Trojan horse on your system, and plants itself all over your hard drive, making it more difficult to remove. It then sends itself to everyone in your e-mail address book, to your entire ICQ contact list, to anyone who downloads your files over Kazaa, and to everyone in your IRC chat rooms. Not connected to the Internet? No problem for Lirva: It will dial up your ISP for you (in the middle of the night).

And someone went to all this trouble just to force you to view the pop singer's home page three days a month? Well, less benignly, the worm also steals the dial-up user names and passwords saved on your hard drive, and it e-mails them to the virus author. And since it installs a Trojan horse remote-control program, any hacker who has the same software can take control of your computer later on. If your PC was infected, use the free Lirva Removal tool to fully restore its health.

The Lavigne worm should serve as a warning to complacent computer users. If Lirva had been programmed to do real harm to the PCs it infects, to spy more closely on the infected user's computer, or to alter data on the hard drive more subtly, the result could have been devastating instead of merely infuriating.

Hackers also take advantage of computers left unattended to send worms through file sharing networks such as Kazaa. A specific vulnerability in Kazaa's pop-up ad program could allow a hacker to execute malicious code directly on your computer. A hacker who manages to pass a malicious ad to Kazaa (or to crack into its ad-serving network) can gain access to your local Windows security zone--and have free rein over your computer. (You can download a workaround.)

The interconnectedness of machines on the Net means that due diligence applies equally to home users and to corporate users, says Weafer, who likens securing a home or business computer to wearing seat belts and obeying traffic laws as you drive.

"We're living in a global community," Weafer explains. "[Computer security] is not only about protecting ourselves, but about protecting everybody else who's living around us."

• See more like this:
• Internet Fixes,
• Internet,
• Fixes,
• net fixes,
• net fix,
• internet fix,
• web fix,
• web fixes,
• Kim Zetter,
• Dylan F. Tweney,
• Kim,
• Zetter,
• Dylan,
• Tweney,
• patch,
• patches,
• bug,
• bugs,
• worm,
• worms,
• virus,
• viruses,
• spam,
• ad,
• ads,
• advertisement,
• scam,
• scams,
• security,
• online,
• online security,
• browser fix,
• browser fixes