Virus Top Twenty for April 2007

01 May 2007
Virus News

PositionChange in positionNameProactive Detection FlagPercentage
1.Up +4Email-Worm.Win32.NetSky.tTrojan.generic14,00
2.New! New!Email-Worm.Win32.Warezov.msInvader12,35
3.Down -1Email-Worm.Win32.NetSky.qTrojan.generic12,15
4.Down -1Email-Worm.Win32.Bagle.gtTrojan.generic10,02
5.New! New!Trojan-Spy.HTML.Bankfraud.riN/A (HTML)*7,73
6.Up +6Worm.Win32.Feebs.genHidden Data Sending5,38
7.No Change 0Net-Worm.Win32.Mytob.cTrojan.generic4,04
8.Down -2Email-Worm.Win32.NetSky.aaTrojan.generic3,55
9.No Change 0Email-Worm.Win32.NetSky.bTrojan.generic2,18
10.Down -2Email-Worm.Win32.Scano.genTrojan.generic1,93
11.Down -11Trojan-Spy.HTML.Bankfraud.raN/A (HTML)*1,80
12.New! New!Email-Worm.Win32.Warezov.nfInvader1,80
13.Down -3Email-Worm.Win32.Mydoom.lTrojan.generic1,58
14.Down -1Email-Worm.Win32.Warezov.doTrojan.generic1,50
15.No Change 0Email-Worm.Win32.Mydoom.mTrojan.generic1,38
16.No Change 0Email-Worm.Win32.Zhelatin.damN/A (damaged)**1,18
17.Return ReturnEmail-Worm.Win32.LovGate.wTrojan.generic1,14
18.New! New!Email-Worm.Win32.Zhelatin.csHiddenInstall1,09
19.Return ReturnNet-Worm.Win32.Mytob.tWorm.P2P.generic1,06
20.New! New!Email-Worm.Win32.Zhelatin.cqHiddenInstall0,98
Other malicious programs13,16
* - this is an HTML page and does not display any behavior
** - non-functional sample

It’s getting more and more interesting looking at the statistics on malicious code in mail traffic. Warezov and Zhelatin regularly cause virus outbreaks, hit the headlines, and create a huge amount of work for virus labs around the world, but it’s NetSky.t, an old email worm, which grabbed first place this month. In the three years since NetSky.t appeared, its highest ranking ever was fourth place in February 2006. It subsequently disappeared from the rankings, but returned to lurk close to the top of the table. And this month it has taken first place by storm, pushing aside all the new generation worms.

This was probably the result of a new tactic: virus writers are now spamming multiple variants of their latest creation within a very short space of time. Many of these variants make it to the Top Twenty, but sometimes the sheer number of variants prevents them from gaining a high position: NetSky.t, a single variant which spread extremely widely, is proof of this.

On the other hand, these newcomers aren’t lagging that far behind some of the old, familiar malicious programs. Second place is occupied by Warezov.ms, created by unknown cyber criminals, who we suspect are Chinese. Although this variant didn’t get as much publicity as its younger brother Warezov.nf, our statistics show that it was the .ms variant that dominated in April. However, it’s highly likely that Warezov.ms will practically disappear in May, repeating the pattern shown by other variants. Out of all the Warezov variants that made the rankings last autumn and winter, only Warezov.do could still be found in April’s Top Twenty.

The Zhelatin worm, which is in direct competition with Warezov, also has three variants in the rankings. However, in percentage terms Zhelatin’s results are much less impressive, as it occupies 6th, 18th and 20th place.

Phishing is continuing to evolve at a rate of knots. Last month, Bankfraud.ra, a phishing email, was at the top of the chart. Although this month it has fallen to 11th place, this doesn’t mean that phishing is on the decline: 5th place is taken by a new Bankfraud variant, .ri. This is evidence of the increasingly wide spread nature of phishing attacks, comparable in scale to email worm epidemics.

The return of some real veterans – LovGate.w and Mytob.t - is also interesting. The reappearance of these malicious programs in the Top Twenty was unexpected. However, the number of times these programs have previously figured in the rankings bears witness to their tenacity and the size of epidemics caused by these worms in the past.

Other malicious programs made up a significant percentage (13.16%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Summary

  • New: Email-Worm.Win32.Warezov.ms, Trojan-Spy.HTML.Bankfraud.ri, Email-Worm.Win32.Warezov.nf, Email-Worm.Win32.Zhelatin.cs, Email-Worm.Win32.Zhelatin.cq
  • Moved up: Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen
  • Moved down: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Trojan-Spy.HTML.Bankfraud.ra, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Warezov.do
  • Re-entry: Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.t.
  • No change: Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.Zhelatin.dam