2001: The year of the virus

The lexicon of virus names expanded considerably in 2001 as Code Red, SirCam, magistr, Nimda and Pentagone all took turns at running riot over the Internet

2001 brought with it an answer to the paranoia over the Y2K bug that gripped the world in 1999, and its name was Code Red. After a taster of the worm in early July, security experts around the world were quick to predict an Internet meltdown on 31 July, and the security community was on red alert for a disastrous second round of attacks. But the FBI was forced to eat its words when the Internet emerged unscathed on 1 August -- and an embarrassed antivirus industry claimed that the world had been saved by its over-hyped predictions.

That was the Chinese Code Red, which was soon to be followed by the American response known as Code Red II. This more destructive variant attacks the same vulnerability in Microsoft Internet Information Service (IIS) servers, but incorporates the added payload of a back door Trojan, which could allow a hacker to gain control of or access the infected systems. Code Red II also uses the attacked computer's Internet Protocol (IP) address to look for nearby systems to infect, operating on the theory that if there is one vulnerable computer, there could be others nearby.

Code Red demonstrated a coming together of the world's hacking and virus-writing communities. "Virus writers are now deciding to hack into the main routers and the DNS servers of the Internet -- if they manage to get onto this, they will own the Internet," said Neil Cowey, senior virus researcher at McAfee AVERT.

But the greatest virus threat in 2001 came from Windows 32 viruses. The most destructive of these is SirCam -- a network-aware worm which is still spreading at a fast rate. This mass-mailing worm arrives as email with a random subject line that is identical to the attached filename, and purports to be sent by a friend. Once activated, the virus randomly attaches itself to a document in the user's Microsoft Office directory and sends it on to everyone in the address book. In July, SirCam was responsible for leaking corporate documents, password files and, in one case, official FBI documents. The virus was designed to trigger an additional payload on 16 October on computers configured with the European date setting, but a bug in the code meant that this was never activated.

The first big Windows 32 virus to surface this year was called W32/magistr. This polymorphic Windows virus spreads by infecting files and via email. It was first detected on 14 March, and rather than relying on Microsoft Outlook for propagation, it creates its own SMTP mail client and forwards itself to email addresses found on an infected user's hard drive. The virus carries a destructive code which, if triggered, overwrites hard drives, erases CMOS settings and flashes the BIOS chip on the affected system, rendering the computer unusable. Antivirus firm MessageLabs is rating W32/magistr as the second most destructive virus this year, and claims to have detected in excess of 145,000 incidents of the Swedish virus passing through its servers at an Internet level.

But the most sophisticated W32 virus waited until September to surface. Its multi-pronged attack enables it to spread rapidly by email, shared network drives, and most ingeniously by downloading itself from Web pages through a weakness in Internet Explorer. The Nimda virus crashed the internal networks of several international banks, and had a much greater impact on Internet traffic than its predecessor Code Red. Antivirus company Sophos says that Nimda and SirCam together account for more than 50 percent of the most frequently occurring viruses reported in 2001.

Computer worms such as Code Red and Nimda, which use proven hacker exploits to spread, had led some to speculate that virus writers were moving on from writing viruses that require someone to open an attachment to trigger them. But worms that rely on gullible users to spread still had their place in 2001. Viruses such as LoveLetter and Kournikova have long used sexy incentives to entice people to click on them. "Virus writers are increasingly aiming for your loins, using file names that suggest porn movies," said Graham Cluley, senior technology consultant at Sophos.

In December 2001, the mass-mailing Pentagone (or "Goner") worm, written in Visual Basic Script (VBS), threatened to wreak as much havoc as last year's infamous "LoveLetter" email worm. It succeeded in proving that gullible computer users are still their own worst enemy, by disguising itself as a screen saver, and attempting to terminate a number of antivirus products installed on an infected computer when a user double-clicks on it. Antivirus firm MessageLabs said that within 24 hours of Pentagone first appearing, it detected 40,000 copies of the virus. By comparison, MessageLabs detected 50,000 copies of the SirCam virus throughout November.

For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

See ZDNet UK's Christmas & New Year Special for our look at the tech world in 2001, and what's coming up in 2002, plus a shopping guide with reviewers' best buys.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum.

Let the editors know what you think in the Mailroom. And read other letters.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All