There were 12 significant and 34 less serious virus outbreaks in 2002, along with continuing activity caused by viruses from previous years. Virus writers actively penetrated new platforms, applications and technologies.

2002 Highlights

Two new flash worms, LFM and Donut, appeared in January: both of these worms were designed to spread in the .NET environment. Fortunately, both worms turned out to be only proof of concept viruses and no infections were registered.

In May, we saw Spida, a worm that attacked SQL servers and Benjamin, a virus that triggered a whole series of copycat malware targeted at the Kazaa file-sharing network.

Malware for Linux

The worm Slapper finally convinced all remaining skeptics that Linux users need to be just as aware of security issues as users of all other operating systems. Slapper penetrated thousands of machines running Linux within a few days. Users of FreeBSD also got a timely reminder about security: a new worm called Scalper struck FreeBSD machines in September, though the damage did not escalate to the proportions caused by Slapper.

Professional virus writers

This was the year professional writers got down to business: there was a significant increase in malicious programs designed to commit financial fraud. These programs stole passwords, confidential data, Internet access information and other data that allowed virus writers to make money by using the harvested data.


Email worms, such as Klez and Lentin had already been popular prior to 2002. However, a new breed of email worms superseded the older versions: these new email worms spread by connecting directly to built-in SMTP servers on infected machines.

This development grew out of increased security measures which prevented worms from spreading via MS Outlook and other email clients. Email system developers integrated either antivirus protection or special functionality preventing unauthorized mailings. As a result, virus writers focused on worms that were able to avoid these measures.

Worms multiplying in other environments, such as LANs, P2P, IRC and so forth, disappeared almost entirely in this year.


An Internet worm named Klez caused the most serious outbreak of the year. Klez was first detected on 26 October and remained on the list of the most widespread malicious programs for the next two years. This is a record in virusology that is yet to be broken. New Klez variants, Klez.e and Klez.h were the most active Klez clones. Altogether, by the end of 2002, 6 out of 10 registered infections were caused by Klez.

Though Klez caused the most serious outbreak during 2002, several other worms provided some stiff competition: Lentin and Tanatos (aka Bugbear). In fact, Lentin surpassed Klez in the number of incidents by the end of the year.


The trend to exploit vulnerabilities that first became significant in 2001 continued: virus writers homed in on the IFRAME vulnerability in MS Internet Explorer to create worms including Klez, Lentin and Tanatos. Altogether, 85% of all virus incidents.

Classic viruses

Interestingly enough, macro viruses rose to the fore among classic viruses this year. Macro viruses for MS Word – Thus, TheSecond, Marker and Flop were the most widespread. These viruses had first appeared in the late 1990s, but they resurfaced in 2002. The most likely reason is increased numbers of Windows users who were all sure that macro viruses were a thing of the past. Inconvenient security measures were abandoned and the result was a second round of old viruses. The majority of infections were caused by Elkern, CIH, FunLove and Spaces.

On the plus side, script viruses and other classic viruses almost disappeared in 2002.

Virus hoaxes

The upsurge in virus hoaxes that began in 2001 continued into 2002. Users worldwide flooded each other with new and old hoaxes: JDBGNR, Ace-?, SULFNBK, Virtual Card for You, California IBM and Girl Thing.

2002 summary

By the end of the year, an interesting pattern emerged in the spread of malicious programs. In previous years, the overwhelming majority of virus incidents were connected to a small number of viruses, typically 2-3. By September 2002, however, this pattern was broken: more and more infections were caused by viruses which did not make it to the top twenty.

Increased end user awareness regarding security issues and willingness to adopt precautionary methods undoubtedly played a role in this development. Correct protective techniques implemented by end users led to a decrease in number of incidents caused by individual viruses.

And yet, the overall number of infections did not decrease, meaning that the overall number of malicious programs in the wild had grown. Even though no single virus caused a significant outbreak, together they constituted an impressive volume.