Virus Top Twenty for May 2006

01 Jun 2006
Virus News

Our statistics for May are not very different from the statistics for April. In fact, the difference between the May and March or even April Top Twenties is also minimal. This is not a temporary phenomenon, but a feature of today's malware landscape: global email worm epidemics are already a thing of the past.

Let’s take a look at the statistics. Mytob.c, which in February firmly settled in the top position with about 30% of all traffic, remains at the top, keeping its competitors at a safe distance. A fight for second position is still going on: Mydoom, NetSky, Bagle and Mytob have remained in the top five over the past few months and even years. But by the summer of 2006 it turned out that they have been outlasted and overtaken on the way to the top - by South Korean worms that most Europeans are not very familiar with and which have rarely been mentioned by the mass media. Two variants of LovGate have made their way to the second and fourth positions in the rating, leaving the remaining two top five positions to NetSky. Apparently, this result is due to NetSky.t going down from the second position to the fifth, reducing its presence in mail traffic almost by half. This is just what we anticipated in previous months.

In previous months we predicted that new Mytob variants would strengthen their presence, and/or that old variants would return to top positions. Our forecasts were correct: two old Mytob variants - .u and .a - have somewhat improved their position and the family now accounts for exactly one half of the top ten, including the top position. In addition, a new-generation Mytob, the .eg variant, has made its way into Top Twenty. Although two hackers suspected of being the authors of these worms were arrested last August, new variants keep appearing at a frightening rate. This must be due to the fact that the source code for this worm is publicly available. But the Mytobs are not just climbing higher and spawning new variants: they even return to the Top Twenty once in a while. The variants to make a comeback in May were .x and .bx, making the number of Mytob clones in our rating almost half of the total: 9 positions out of 20.

In the rest of the ratings, two other newcomers are of some interest: the Scano email worm, in the form of variants .ag and .ab.

Scano is relatively new on the virus scene. In April we saw Scano.e reach the 14th position. This malicious program builds on the ideas implemented in the Feebs worm, which first appeared in the winter of 2005. Scano, however, differs from Feebs in that it includes a polymorphic JavaScript dropper, which delivers the worm to its victims. Polymorphic technologies are becoming increasingly popular among virus writers, because the previous methods used to conceal malicious code from antivirus programs have become almost totally ineffective.

Now Scano.e has left the stage and has been replaced by two newcomers, which took the 15th and 19th positions. In all probability, they will follow the older variant into oblivion in June, but it is doubtful that Scano will leave the Top Twenty completely: the author of this worm is highly productive and releases several new variants a week.

Other malicious programs in the Top Twenty accounted for a significant percentage (18.79%) of all those intercepted, which means that there are also numerous worms and Trojans belonging to other families still circulating in mail traffic.

Summary:

NewMytob.eg, Scano.ag, Scano,ab
Moved upLovGate.w, NetSky.q, LovGate.ad, Mytob.u, Mytob.a, NetSky.y
Moved downNetSky.t, NetSky.aa
No changeMytob.c, NetSky.b, Mytob.t, Mytob.q, Mytob.w
Re-entryLovGate.ah, NetSky.x, Mytob.x, Mytob.bx