Know your enemy: Past threats

Keeping up with the latest patches and virus threats is difficult enough but security experts claim older viruses can still cause problems even if they aren't hitting the headlines anymore.

Although so-called "legacy viruses" are slowly dying off, some old malicious code is still lying in wait to strike. Alex Shipp, senior antivirus technologist at MessageLabs, says viruses often live on for months and years after they are initially detected.

Statistics from MessageLabs on the day this piece was written show that Klez.H-mm, a worm first seen in April last year, is still doing the rounds and rates as the fifth most active in the preceding 24 hours. Shipp explains although most businesses will have patched their systems against old malicious code, home users are not so diligent -- providing the perfect breeding ground for legacy threats.

"Older viruses are still out there and every so often they get into company networks again. It only takes one machine to be unpatched," he says.

Larry Bridwell from ICSA says these inactive viruses are analogous to fish thought to have disappeared from the seas. No one thinks much of them until "some fisherman in Madagascar pulls one out on a line."

Although some viruses are likely to burn themselves out as they're too destructive or the virus writer has written an expiry date into the code, some legacy viruses represent a threat to complex environments.

"For a single user it's trivial. If you have a million machines in a number of different places then it's a complex problem to deal with," says Symantec's US-based senior director of Security Response, Vincent Weafer.

MessageLabs' Shipp claims that the antivirus industry has evolved and learned alongside its enemy -- so knowing what has gone before is vital to combating future attacks. He claims the same is true within companies where processes for dealing with previous attacks, such as educating users about opening attachments, will help with the new threats.

"I think we have been all learning as the problem goes on. You need to evolve your defence alongside the threat; things like partitioning off your network so a virus or worm can't spread across the whole company," he says.

To help ensure your antivirus strategy is as bullet-proof as possibly, ZDNet UK has compiled this list of the major virus threats over the last three years and how to protect your system from them. For more information on virus protection see the IT Priorities Virus Toolkit.

November 2003: Milmail.j worm
How to recognise and remove the latest Mimail variant, which will try to steal credit card details.

November 2003: Mimail.c worm
The latest variant of the Mimail worm has the potential to launch a denial of service attack if users click on the attachment, which promises 'private photos'.

September 2003: Swen
The Swen virus masquerades as a new Microsoft patch -- find out how to avoid it, and what to do in the case of infection.

August 2003: Sobig.F
A new variant of the Sobig virus, which caused chaos earlier this year. Sobig.F (w32.sobig.f@mm) spreads via email and shared network files and could slow email servers with excessive traffic.

August 2003: Nachi worm
This worm tries to fix MSBlast infections but leaves open another serious vulnerability -- find out how to protect yourself or deal with an infection.

August 2003: MSBlast worm
MSBlast, also known as Lovsan, is an Internet worm that exploits a known vulnerability in Windows 2000, NT, and XP.

October 2002: Bugbear worm
Bugbear contains a Trojan horse that attempts to steal passwords and credit card information. Bugbear (w32.bugbear@mm), also known as Tanatos, is about 50KB long and is compressed with the UPX file compressor.

April 2002: Klez.H
Klez.H (w32.klez.h@mm, also known as Klez.g and Klez.k) is a significant variation of existing worms Klez.e and Klez.a. and attempts to disable antivirus software when activated.

December 2001: Goner
Besides spreading rapidly by email, and therefore posing a threat to email servers, Goner spreads via ICQ and also shuts down antivirus and firewall protection, leaving your Windows computer vulnerable to other attacks.

September 2001: Nimda
Nimda is a network-aware, mass-mailing worm that infects both desktop Windows users and IIS Web servers alike. Think of Nimda (W32.NIMDA.A@mm) as a combination of Code Red and the mass-mailing worm APost.

July 2001: Code Red
Code Red spreads by scanning the Internet for vulnerable IIS systems, and it is this scanning activity that has the potential to degrade service across the entire Internet.

July 2001: SirCam worm
SirCam is a sophisticated worm that will infect files shared over an open network so most people will never see the original infected email associated with the worm. SirCam (w32.Sircam@mm) also contains a dangerous payload: it may delete all the files on the C drive.

June 2001: MsWorld virus
Borrowing from the success of NakedWife, MsWorld displays a Flash window illustration while mass-mailing everyone you know and attempting to reformat your C: drive.

March 2001: Lion virus
The dangerous Lion worm stalks Linux systems and is worse than the Ramen worm, Lion installs then hides hacker tools on vulnerable systems.

February 2001: Gnutella worm
When a virus writer succeeds at something new, the virus community calls it a "proof-of-concept" virus or worm. Gnuman is a proof-of-concept worm that only infects users of Gnutella.