Virus Top Twenty for February 2005

01 Mar 2005
Virus News

Position Change in position Name Percentage
1. +2 Email-Worm.Win32.Zafi.b 21.71
2. +1 Email-Worm.Win32.NetSky.q 18.30
3. - 2 Email-Worm.Win32.Zafi.d 13.31
4. +4 Email-Worm.Win32.Bagle.ay 7.03
5. - Email-Worm.Win32.NetSky.b 6.94
6. Re-entry Email-Worm.Win32.Bagle.at 4.68
7. -1 Email-Worm.Win32.NetSky.aa 3.29
8. +1 Email-Worm.Win32.Mydoom.m 2.67
9. New Email-Worm.Win32.Bagle.ba 2.45
10. +3 Email-Worm.Win32.NetSky.y 2.08
11. +1 Email-Worm.Win32.Mydoom.l 1.83
12. -8 Email-Worm.Win32.LovGate.w 1.74
13. +1 Email-Worm.Win32.NetSky.d 1.39
14. Re-entry Email-Worm.Win32.NetSky.x 0.96
15. + 2 Email-Worm.Win32.NetSky.r 0.91
16. + 2 Email-Worm.Win32.Bagle.ai 0.81
17. - 2 Email-Worm.Win32.NetSky.t 0.79
18. New Trojan-Spy.HTML.Smitfraud.c 0.55
19. - 9 Trojan-Spy.HTML.Smitfraud.a 0.49
20. Re-entry Email-Worm.Win32.NetSky.af 0.49
Other malicious programs 7.58

Many antivirus experts believe that email worms are slowly dying out and being replaced by network worms with Trojan capabilities. February statistics confirm this trend. On the one hand, this could be the result of a successful campaign waged by av vendors against email worm outbreaks. The antivirus industry implemented a number of innovative technologies to halt email worms in their tracks: detecting worms in password protected archives, preliminary analysis of incoming emails with executable attachments and so forth.

On the other hand, today, network worms that exploit vulnerabilities in MS Windows are one of the more serious threats to the Internet. In other words, antivirus programs need to monitor Internet and network traffic as well as email traffic.

Something to think about in another venue, so let's analyse February's numbers instead. Zafi variants continue to play king of the hill: first Zafi.b was on top, then Zafi.d and now Zafi.b is back. We've discussed both worms in detail previously, so we'll skip over them, as well as our old 'friend' Netsky.q and focus on the fourth place holder.

Bagle.ay appeared on January 27 and immediately rose to 8th place. In February this Bagle variant managed to climb higher to fourth place. In fact, if we take the most famous names of 2004 – Netsky, Mydoom, Zafi, Bagle and Lovgate, virus writers seem to be focusing on Bagle only.

As we write about February today, March first, we have just detected 6 new variants of Bagle. We'll undoubtedly see some of them in the March Top Twenty. We will undoubtedly see a new crop of Trojan-Proxy.Win32.Mitglierder in the next few days, since this is the Trojan Bagle typically downloads. We should then see a burst of spammer activity and new phishing emails. Bagle.z and Bagle.at presented us with a conundrum this month. Bagle.z had been in seventh place in January and disappeared completely from the Top Twenty in February. Whereas Bagle.at, which was first detected in October 2004 reappeared suddenly in sixth place. Frankly, we're not sure as to why this occurred, but we'll keep tracking the situation.

In all other respects, the February Top Twenty is very similar to the January hit list: some viruses rose slightly while others dropped slightly. The most significant change was how Lovgate variants all dropped in the ratings, with Lovgate.w falling from 4th to 8th place and Lovgate.ad and .ae leaving the ratings altogether.

Mydoom.m also exhibited some interesting, to say the least, behavior in February. There was a flurry of reports about new Mydoom variants – many antivirus vendors added new signatures for all of these so-called variants. However, it was the packers that were new, not the worm. We at Kaspersky Lab took the time to unpack the samples and discovered that it was simply Mydoom.m, first detected in July 2004 – certainly not new variants. Since our users were already protected, we spared them further updates and alarm – most of our users didn't even realize that there was supposedly a new Mydoom outbreak. And the outbreak wasn't serious in any case, since Mydoom.m only rose one place in the ratings.

Phishing is holding its own, with attacks on on-line banking services continuing unabated. We saw a significant number of phishing attacks during February: the Trojan Smitfraud.a remains in the ratings with variant Smitfraud.c out jockeying its sibling for 18th place.

Other malicious programs detected in email traffic are holding their own at 7.58% relative to the total number of malware intercepted. However, the number of malware detected overall in February in absolute terms was low enough to make this month the quietest for the past twelve months.

Summary:

New Bagle.ba, Smitfraud.c
Moved up Zafi.b, Netsky.q, Bagle.ay, Mydoom.m, Netsky.y, Mydoom.l, Netsky.d, Netsky.r, Bagle.ai
Moved down Zafi.d, Netsky.aa, LovGate.w, Netsky.t, Smitfraud.a
Re-appeared Bagle.at, NetSky.x, NetSky.af
No change Netsky.b