A new variant of a mass-mailer that forges the senders' address, called W32/Yaha.K@mm, became prominent on 30 December. MessageLabs first stopped a copy of this on 21 December, and they saw a slow exponential increase until it was in second place (to Klez.H) at the end of the year. However, there was more than the usual confusion about naming of the virus. MessageLabs commented, "By releasing a number of variants over a short time period, the authors either accidentally or intentionally caused chaos with the usual processes of virus naming, and so currently we have three variants of Yaha spanning the letters J to M, but very little agreement between the different vendors as to which is which." Sophos was able to detect the later variants through their detection of the December 24 variant.
The New Year has begun with a bang, with four new worms becoming widespread in just two days. "Several new viruses are found every day, there's nothing special with that", says Mikko Hypponen, Manager of Anti-Virus Research at F-Secure. "But it is not normal to find four new viruses which are all successfully spreading in the wild within two days." Mr. Hypponen went on to say this does not appear to be a coordinated attack.
Two of the worms, W32/Lirva.A and W32/Lirva.B (also called W32/Naith and W32/Avril) are closely related and hit on the 8th and 9th of January, respectively. They spread by sending themselves to email addresses harvested from various files. The emails can have various subjects and body texts, mostly business or security related, but some refer to teen skater-punk Avril Lavigne. They also open Avril Lavigne's website and display geometric figures on the 7th, 11th or 24th of any month. Rather predictably, press and commentators have focussed on the connection with a young, female super-star, and the worm is commonly called "the Avril Lavigne Worm". Much has written about virus writers having a male teenager's obsession with sex, but we should remember that the victims are showing the same obsession. The virus writers just seem to have recognised that such a link attracts many people, which makes them no different to newspapers and anti-virus websites that choose to illustrate an article about a self-replicating program with a picture of a skater.
The third worm is a new variant of ExploreZip, found on the 8th. ExploreZip was originally found in June 1999, and it quickly became widespread. W32/ExploreZip.E was compressed to make it undetectable by current anti-virus software at the time it was released, but it is functionally the same. It spreads by replying to unread emails, and also by copying itself to Windows shares across the network.
The fourth worm W32/Sobig.A, was found on the 9th, also spreads by email and network shared drives. It also tries to download extra components from a website, but the website is currently inactive.