Virus Top Twenty for August 2006

01 Sep 2006
Virus News

We expected that August would bring a struggle for first place in the ratings between Mytob.c, a veteran of the ratings, and Nyxem.e, well known for disturbing the peace. However, our forecasts turned out to be inaccurate. Nyxem.e, which was almost on a level with Mytob in July, and which made up half of all virus traffic last month dropped 10% in August, while Mytob.c remained steady as a rock.

The summer holidays inevitably have an influence on the world of computer viruses. However, August was a surprisingly quiet month, as the Top Twenty shows: the first four places remained the same as the previous month. Overall, the changes to the top ten are more or less symbolic, with some viruses moving up a couple of places, some down a couple of places. Such movement is within the bounds of statistical error.

In comparison to July, when one worm rose seven places and another sank by twelve, the August figures (Mytob.cg up four places, Mytob.r down five places) look almost insignificant. Nevertheless, antivirus companies waited for August with baited breath. This was due to the fact that over the past few years, August has been one of the months when viruses show increased activity. In our last Top Twenty we stated that the question ‘will there be an epidemic in August’ would be answered when it was clear whether new vulnerabilities had been detected in Windows.

Vulnerabilities were indeed detected, and they were exactly the type of vulnerabilities which could have led to the appearance of another worm such as Lovesan or Mytob. The vulnerability detailed in MS06-040 is extremely similar to the MS03-26 and MS04-011 vulnerabilities, which were exploited by Lovesan and Sasser respectively. Thankfully, Microsoft was able to ensure that information about the vulnerability did not enter the public domain before a patch was available. The exploit which then appeared for this vulnerability only ran on a limited number of versions of Windows and did not attract the attention of virus writers. Consequently, the anticipated August epidemic did not take place.

Virus writers limited their activities to spamming phishing emails. This meant that although worms did not show any increased activity, phishing attacks were very noticeable. August brought several major attacks, the largest of which was the spamming of Bankfraud.od in Western Europe. We first encountered this phishing message, which targets customers of the German Volksbank, in March this year. In July/August, the authors modified the email, and conducted a repeat attack. Bankfraud.od rose to twelfth place in the rankings, and is the first phishing attack to make it into the Top Twenty in the past few months.

As for the rest of the Top Twenty, it’s worth noting that Scano, the polymorphic script worm, disappeared from the rankings, and another, similar malicious program (Feebs) did not make it into the Top Twenty at all.

LovGate.ad has dropped out of the ratings. This might mean that this family has been defeated by other worms. Out of the three LovGate representatives previously found in the Top Twenty, only LovGate.w remains. However, in August the worm once again demonstrated its resilience, with LovGate.ae returning to the rankings. We will wait and see what September brings. The significant percentage (14.7%) of other malicious programs intercepted in mail traffic indicates that a number of other worm and Trojan families are still in active circulation.

Summary

New! NewBankfraud.od
Up Moved upNetSky.b, Mytob.q, NetSky.y, Mytob.u, Mytob.w, Mytob.r, NetSky.x, Mytob.gen, NetSky.af
Down Moved downMytob.q, NetSky.y, Mytob.t, NetSky.x, Mytob.r, Mytob.x
No Change No changeNet-Worm.Win32.Mytob.c, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.LovGate.w
Return Re-entryNetSky.t, Mytob.h, LovGate.ae, Mytob.j