Virus Top Twenty for January 2005

02 Feb 2005
Virus News

Position Change in position Name Percentage
1. - Email-Worm.Win32.Zafi.d 26.57
2. - Email-Worm.Win32.Zafi.b 19.10
3. - Email-Worm.Win32.NetSky.q 13.97
4. - Email-Worm.Win32.LovGate.w 6.13
5. +2 Email-Worm.Win32.NetSky.b 4.47
6. - 1 Email-Worm.Win32.NetSky.aa 3.25
7. +2 Email-Worm.Win32.Bagle.z 3.08
8. New Email-Worm.Win32.Bagle.ay 2.77
9. +1 Email-Worm.Win32.Mydoom.m 2.54
10. New Trojan-Spy.HTML.Smitfraud.a 1.75
11. New Trojan-Spy.HTML.Bankfraud.ca 1.63
12. +3 Email-Worm.Win32.Mydoom.l 1.45
13. -2 Email-Worm.Win32.NetSky.y 1.28
14. - Email-Worm.Win32.NetSky.d 1.27
15. - 2 Email-Worm.Win32.NetSky.t 0.87
16. + 4 Email-Worm.Win32.Bagle.gen 0.74
17. + 2 Email-Worm.Win32.NetSky.r 0.72
18. Re-entry Email-Worm.Win32.Bagle.ai 0.66
19. - 1 Email-Worm.Win32.Lovgate.ad 0.58
20. New Email-Worm.Win32.Lovgate.ae 0.49
Other malicious programs 6.68

January's Top Twenty hasn't changed that much in comparison to December's. Zafi still tops the ratings, with NetSky.q, the most widespread worm in 2004, following closely in 3rd place.

Lovgate.w, another veteran in our charts, hasn't changed position at all. Incidentally, two more versions of this lively worm occupy the bottom of the table. Given the way previous versions of this worm have evolved, it's likely that Lovgate in a variety of incarnations will remain in our rankings for some time to come.

Moving down the table, we come to a new entrant, Bagle.ay. January 2005 is Bagle's first anniversary, and now, in 2005, it has once again caused the first real epidemic of the new year. Bagle.ay was first detected on 27th January, and triggered a red alert, managing to rise to 8th place in the course of just a few days. Just like its predecessors, Bagle.ay installs a Trojan proxy server on the victim machine. This means the infected computer can later be used as a spamming platform, often to send out new versions of the worm.

The Bagle epidemic developed in a typical way: a serious outbreak caused by high numbers of the worm in mail traffic, due to it being sent to millions of email addresses. After a few days, however, this initial activity died down, and Bagle.ay will probably be a lot lower down the February rankings.

The Trojan-Spy.HTML virus which appeared in the December Top Twenty was a harbinger of more to come. In January, two Trojan spy programs from this group, Smitfraud and Bankfraud.ca, were used in phishing attacks trawling for banking details. Large numbers of these malicious programs were detected; the volume was comparable with the amount of traffic caused by email worms during epidemics, and consequently Smitfraud and Bankfraud.ca moved straight into 10th and 11th place respectively.

The information above summarizes the events of January: we saw a large number of new Trojan programs being used to create botnets. Bagle.ay also contained a Trojan. It's estimated that the number of zombie machines in January may have exceeded 350,000; as a result of this, spam traffic rose by 40%, and the number of phishing attacks continued to rise.

Interestingly, Sober.i has now dropped out of the Top Twenty. Although a new version of this worm, Sober.j has been detected, so far it hasn't made much impact. It will be interesting to see whether this situation changes next month.

Summary:

New viruses: Bagle.ay, Smitfraud.a, Bankfraud.ca, Lovgate.ae

Moved up: NetSky.b, Bagle.z, Mydoom.m, Mydoom.l, Bagle.gen, NetSky.r

Moved down: NetSky.aa, NetSky.y, NetSky.t, Lovgate.ad

No change: Zafi.d, Zafi.b, NetSky.q, Lovgate.w, NetSky.d