Virus Top Twenty for January 2006

01 Feb 2006
Virus News

Position Change in position Name Percentage
1. No Change 0 Email-Worm.Win32.Zafi.d 29.52
2. No Change 0 Net-Worm.Win32.Mytob.c 22.62
3. No Change 0 Email-Worm.Win32.LovGate.w 6.25
4. Up +2 Email-Worm.Win32.NetSky.b 3.89
5. No Change 0 Email-Worm.Win32.Zafi.b 2.64
6. Up +3 Net-Worm.Win32.Mytob.u 2.62
7. Up +1 Net-Worm.Win32.Mytob.t 2.51
8. Down -1 Email-Worm.Win32.NetSky.q 2.32
9. Up +1 Net-Worm.Win32.Mytob.q 1.95
10. Up +7 Net-Worm.Win32.Mytob.a 1.66
11. Up +2 Trojan-Spy.HTML.Bayfraud.hn 1.43
12. Up +3 Email-Worm.Win32.NetSky.y 1.29
13. Down -1 Net-Worm.Win32.Mytob.h 1.24
14. Return Return Net-Worm.Win32.Mytob.bt 1.15
15. Up +5 Net-Worm.Win32.Mytob.x 1.09
16. Return Return Net-Worm.Win32.Mytob.v 1.06
17. Up +2 Net-Worm.Win32.Mytob.y 1.01
18. Down -14 Email-Worm.Win32.Sober.y 0.93
19. Return Return Email-Worm.Win32.NetSky.t 0.76
20. Down -2 Email-Worm.Win32.Bagle.dx 0.69
Other malicious programs 17.37

2006 began in the same way that 2005 finished. There was limited activity at the top of the ratings in December, and January itself was a relatively peaceful month.

Although worms from the Feebs and Nyxem families did cause something of a stir in the mass media in January, none of these worms had a significant effect on the distribution of malicious code in mail traffic.

Zafi.b and Mytob.c continue to hold the first two places, with LoveGate, an old friend, remaining in third place for the second month in a row.

In fact, there's only been one change in the top five places; Sober.y fell from 4th to 18th place, a full 14 places. And this for a worm which attracted so much media coverage in December! The worm did not update itself on the night of the 5th/ 6th January, as it was programmed to do. This meant that the number of infected messages in traffic fell significantly.

The remainder of January's ranking is relatively uninteresting, with the exception of the sharp rise exhibited by Mytob.a (up 7 places) and Mytob.x (up 5 places). In addition to this, two other members of the Mytob family managed to return to the rankings: Mytob.bt, in 14th place, and Mytob.v, in 16th place.

Phishing attacks remained popular in January, as the presence of Trojan-Spy.HTML.Bayfraud.hn shows. This surprisingly lively program has not only been in the ratings for two months (unique for phishing) but also rose by two places. This is, as far as we are aware, the first time a program mass mailed for phishing purposes rose so close to the Top Ten. Of course, we're not talking about a one-off mass mailing here, but repeated attacks targeting eBay users over a period of several months.

Overall, January was one of the most peaceful months we've seen for a long time, with no significant outbreaks or full scale epidemics.

Other malicious programs made up 13.37% of all malicious code intercepted in mail traffic, showing that a significant number of worms and Trojans from other families are still in circulation.

Summary:

New No new malicious programs
Moved up NetSky.b, Mytob.u, Mytob.t, Mytob.q, Mytob.a, Bayfraud.hn, NetSky.y, Mytob.x, Mytob.y
Moved down NetSky.q, Mytob.h, Sober.y, Bagle.dx
Re-entry Mytob.bt, Mytob.v, NetSky.t
No change Zafi.b, Zafi.d, Mytob.c, LovGate.w

We've decided to initially publish a full Top Twenty, including programs from the 'not-a-virus' malware class. However, in future we may take a different approach.

The second set of ratings is interesting, as it gives us a fuller picture of malware distribution. This is in contrast to the standard Top Twenty, which is based on mail traffic data.

The Online Top Twenty this month mostly contains Trojan programs. The majority of these programs are from the Trojan-Spy and Trojan-Downloader class. Feebs and Nyxem, which are mentioned above, but which didn't make it into the mail traffic Top Twenty, are also present.

More detailed information will be published next month, when we've had a chance to get a clearer picture, and reached some conclusions having compared two months' worth of data.