Kaspersky Lab Int. presents a year-end review of events having taken place
in the area of anti-virus security.
Observing the picture of events that have occurred during this year, we must
admit that the situation in the anti-virus field is more complicated as compared
with that in 1999. Just in May 2000 alone, the LoveLetter virus attacked more
than 40 million computers around the world. As reported by the Computer Economics
research center, during the first 5 days of the epidemic, the LoveLetter virus
caused worldwide losses in the amount of US$ 6.7 billion. You may compare these
figures with the report provided by the center in 1999, where they reported
worldwide year-ending losses of US$ 12 billion.
The results of malware development in 2000 are the following:
- E-mail is the undisputed leader among all the available virus propagation
- technological diversification of viruses;
- script and macro viruses are dominant amongst other virus types;
- the first attempt to develop a virus for cellular phones;
- "invisible" viruses have spread throughout the world by exploiting
security breaches in Internet Explorer;
- a new generation of self-updating viruses has appeared
- new viruses using the alternative data streams of NTFS have been detected
- a lot of new viruses have been developed for Linux
Therefore, the question of anti-virus protection in 2000 has once again proved
to be the most critical element in personal and corporate computer protection
E-mail: The best means for virus transport
Vigorous growth in the frequency of virus attacks in 2000 has been accompanied
by substantial changes in the technology of malware development and distribution.
First of all, we would like to emphasize the tendency of more and more viruses
acquiring the ability to self-distribute via e-mail. According to Kaspersky
Lab's department of technical support, about 85% of all registered cases of
computer infection have resulted from those viruses using e-mail for spreading;
therefore, these types of cases have increased by 70% in 2000 as compared to
In connection with this, Kaspersky Lab would like again to emphasize the importance
of installing reliable anti-virus software for e-mail systems. As for a corporate
network, this kind of system should filter e-mail messages on two levels: the
mail server and the workstation.
The increasing attention that virus-writers have been paying to e-mail can
be explained rather simply: the more popular the application, the more virus-writers
are eager to develop viruses for it. Today, e-mail is de facto the standard
for business and private communication. Millions of people worldwide could not
imagine their businesses without this form of communication; so, e-mail's popularity
predetermined the large-scale development of the viruses that spread via this
While taking into account the technological complexity of viruses that have
been detected "in-the-wild" in 2000, we must state their diversification. On
one hand, there have appeared more viruses that are complex, and written using
low-level computer languages. On the other hand, the so-called primitive viruses
- written in Visual Basic Script (VBS) and Visual Basic for Application (VBA)
- have occupied the top places in virus prevalence tables.
The tendency for the technological simplification of viruses may be proved
by the following statistics: about 70% of all the viruses "in-the-wild" are
script-viruses, while macro-viruses constitute another 20%. While both of these
types of computer viruses have a primitive structure and are easy to develop,
they are just as dangerous as any other type of virus. The programming languages
VBS and VBA - used in script and macro-viruses--actually provide as many resources
allowing for the damaging of an infected computer as other, more complex programming
languages. No wonder virus writers prefer the more simple VBA and VBS languages
to the more complicated ones, such as Assembler and C.
Year of the LoveLetter
Kaspersky Lab experts agree that 2000 has been the year of the Love Letter.
The LoveLetter virus (detected on May 5th) in no time at all spread
all over the world, infecting millions of computers. The reasons are the following:
i) A very high speed of distribution. Right after infection, the virus e-mails
itself to entries in the address books maintained by Microsoft's Outlook e-mail
software. Just like the Melissa virus (detected in the fall of 1999), the LoveLetter
virus does its work on behalf of the unaware and unsuspecting computer owner.
ii) The deceptive extension of the files attached to the messages: 'TXT.vbs'.
Many users still believe that text files cannot contain virus code. This is
true, but sometimes this extension may hide a file of another type, in this
case it was a program in Visual Basic Script (VBS).
iii) The author of this virus used a very simple and brilliant psychological
approach: there are not many people that are able to resist the temptation to
read a love letter from an acquaintance.
Here we should remind you of Rabbit - the first script-virus that was detected
in November 1998. Right after it had happened, Kaspersky Lab
forecasted the global epidemic that can be caused by script-viruses (viruses
similar to LoveLetter). At that time, many companies accused Kaspersky Lab of
causing "virus hysteria"; however, in the fall of 2000, Eugene Kaspersky, Head
of Anti-Virus Research at Kaspersky Lab, was vindicated as his prediction was
Currently we know of 80 modifications of the LoveLetter virus that have been
detected by Kaspersky Lab experts. In order to protect our customers and users
from all the possible modifications of this virus, Kaspersky Lab released a
unique technology under the name of Script Checker on May 7th. This
tool allows for the checking of unknown script-viruses. Thanks to the integrated
heuristic mechanism analyzing script-programs, Script Checker reliably protects
Kaspersky® Anti-Virus (AVP) users from all modifications of LoveLetter without
any extra updates needed for the anti-virus database.
Expecting Cell Phone Viruses
It all began on June 6th when the Internet-worm by the name of Timofonica
was detected in Spain. This worm has one peculiar quality: it is capable of
sending meaningless SMS-messages to the cellular phones of the MoviStar network.
This case has caused rumors about the first virus infecting mobile phones. Fortunately,
the reality was not so cruel - except for its SMS-messages, the virus had nothing
in common with cellular phones.
Two months later, the utility
called HSE was detected. This utility is able to send SMS-messages of any
content to the phones operating on several cellular networks in Germany. Unlike
Timofonica, this utility cannot be classified as a virus or Internet-worm. In
fact, this is just a piece of malware that may be used against the cell phone
And finally, on August 30th, the world was made aware of the new
"cellular" virus that had been detected by Web2Wap AS, a Norwegian company.
it turned out later, the Norwegian experts merely had discovered a "hole"
in the protection system of several Nokia cell phone models. This hole allowed
for the locking of the phone keyboard by means of a certain SMS-message. But
this had nothing to do with a virus.
It's worthwhile to emphasize that, currently, the problem of cellular viruses
cannot be considered to be urgent. The main and only reason is that current
cell phones do not have the appropriate hardware environment to support a virus.
The conditions allowing for virus existence are as follows: i) the hardware
should provide the means to create, modify and exchange with the executable
software objects, ii) the hardware should be popular among users and iii) its
protection system must be weak.
However, we can expect the appearance of the first cellular viruses in the
very near future. The MID standard (Mobile Information Device), based on Java
(JavaTM 2 Platform Micro Edition - J2ME) and released on August 19th
by the Sun company and its partners, in fact gives the green light for the development
of the appropriate malware.
In 2000, viruses exploiting a breach (called Scriptlet.Typelib) in the protection
system of Internet Explorer 5.0 frequently have attacked computers. This virus
uses the breach and infects the computer right after an infected message has
been read: you do not even have to start the attached file.
The first virus of this kind (BubbleBoy) was detected in November 1999. One
week before, Microsoft had released the appropriate patch for this breach. But,
despite this fact, during the year the virus called KakWorm infected many computers.
This means that users have a tendency to ignore the advice of anti-virus companies,
and they do not install patches for their software in due course. Because of
this, we would like to advise you once again to install the free patch for your
Internet Explorer 5.0. You may download this patch from here.
In 2000, the so-called self-updating viruses or viruses downloading updates
via the Internet came into vogue. The author of this kind of virus may use this
technology to update old components of the installed malware and to install
new ones without the user knowing about it.
This technology was established in the end of 1999, and the first virus that
used it was Babylonia. In 2000, several more viruses were developed based on
this technology: their names are Sonic and Music, along with others. The Internet-worm
called Hybris is a more advanced user of this technology. This virus is able
to download updates not only from Web sites, but also from newsgroups (alt.comp.virus).
This is very convenient, because site owners close them right after they have
learned that the Web sites are being used by malware to download updates. As
for the newsgroup, it's impossible to do so. Besides, the Hybris author has
implemented another advanced technology that protects the virus from being controlled
by an unauthorized person. He has used a powerful algorithm, encoding the updates
with a digital signature.
Viruses in The Alternate NTFS Data Streams
At the beginning of September, the first virus (Stream)
able to manipulate the alternate data streams (ADS) of the NTFS file system
was detected. According to the Kaspersky Lab report, this virus cannot be considered
as something that constitutes a real threat. But the technology enabling it
to penetrate the additional streams is very dangerous, since only a few anti-virus
scanners are currently able to detect malware in ADS.
To our regret, the story caused an inadequate response from some competitor
anti-virus companies accusing Kaspersky Lab of causing unnecessary alarm amongst
users. Nevertheless, except for their unsubstantiated accusations, our competitors
haven't provided any evidence to prove their theory that additional data streams
are safe. The problem with anti-virus
protection of NTFS is still topical, since during the months that have passed
since the moment the Stream virus was detected, only a few anti-virus scanners
have "learned" how to check for viruses in ADS. Kaspersky Anti-Virus was the
first anti-virus scanner in the world that acquired this ability; this function
was implemented in the version 3.5.
Linux Withstanding the Siege
Increased virus-writer activity in the area of virus development for Linux
has been registered this year. 37 new viruses and Trojans for this operating
system have been detected. Therefore, currently the total number of viruses
for Linux is 43, and what is most remarkable is that in 2000, the quantity of
these viruses has increased 7-fold.
Despite the fact that some species are able to replicate and work independently,
no Linux virus has ever been detected "in-the-wild." Kaspersky Lab experts assume
that this is because the Linux desktop standard is not as popular as its competitors.
The most interesting member of the Linux virus family is Siilov. It is the
first Linux virus that works in background mode, and is able to infect files
in real-time mode.
Virus Hoaxes Continue
Virus hoaxes have continued to shake the world in 2000. This term describes
a false alarm warning users about "a new computer virus." These messages inform
users about a new virus that is distributed via e-mail or the Internet, and
is able to delete entire data on an infected hard drive.
This kind of message is deliberately published on the Internet, and an army
of duped users, thinking that they are actually helping inform the computer
community of the danger, foolishly aids in the distribution and spreading of
The following hoaxes have been the most active during this year: 'Wobbler',
'Budwiser Frogs', 'Join the Crew', 'It Takes Guts to Say Jesus' and 'Buddlylst'.
On some days, the Kaspersky Lab technical support service receives hundreds
of messages from our users asking us to explain the "new viruses."
you will find an explanation about how to differentiate a virus warning from
Many users have asked us whether they should expect a slew of new viruses on
Christmas Eve and during the first days of the New Year. In fact, we remember
last year's warning that was distributed by some competitor anti-virus companies,
informing users about the computer underground's plans to launch an attack marking
the beginning of the year 2000. According to these messages, hackers from all
over the world had prepared thousands of new viruses to be released during the
first days of the New Year.
Last year, we explained our opinion,
and today we can simply repeat it: Kaspersky Lab considers this type of information
to be a marketing ploy designed to boost the sales of anti-virus programs on