You've got worms... again

So since it's Monday, it was time to check in on how ClamAV was doing on catching these little buggers... plus it was an opportunity to clean up the script I'd used last time so the output was a little friendlier.

It's a fairly basic bash script, taking a list of words and using grep on a directory of files, counting the instances of occurrences and then sorting them from high to low. If someone wants it, lemme know and I'll post it... I felt pretty stupid with it, as I was offline and couldn't for the life of me remember how to get a tab to show up in echo's output.

So, without further ado:

Virus & Worm Count: +++ 948 Worm.SomeFool 518 Worm.SomeFool.Gen-1 253 Worm.SomeFool.P 116 Worm.SomeFool.Gen-2 58 Worm.SomeFool.I 36 Worm.Mydoom.F 18 Worm.Bagle.N 14 JS.Spam.Scramble.A 13 Worm.Gibe.F 9 Worm.Klez.H 8 Worm.Bagle.U 8 Worm.Bagle.Gen-1 5 Worm.SomeFool.O 3 Worm.Bagle.V 1 Worm.Sober.D 1 Worm.Mimail.Q 1 Worm.BugBear.B +++

In looking at the results from last time, obviously the big loser is Worm.SCO.A, which has pretty much disappeared... with lots of variants taking its place. Worm.SomeFool.P is pretty much the big winner, as it has come on very very strongly over the last few days.

There are lots of things I could write about these variants, but they're really not all that worthy. Nothing really interesting has come about, except some minor variations, with one exception: the idea of encrypting the file and making the user actually enter the password was a pretty slick piece of social engineering.

As an aside, if you are coming here looking to get one of these removed, you're out of luck... others will have to recommend some good sites devoted to manual removal instructions, perhaps in the comments. Or, you could look at using a Mac or Linux. :)

Or, at the very least, start using a non-microsoft mail client such as Eudora or Thunderbird (big fan of thunderbird) and never opening an attachment unless you've expressly asked for it or are expecting it.