Virus Top Twenty for June 2007

02 Jul 2007
Virus News

Position Change in position Name Proactive Detection Flag Percentage
1. Up +1 Email-Worm.Win32.NetSky.q Trojan.generic 16.06
2. Up +1 Email-Worm.Win32.Bagle.gt Trojan.generic 13.45
3. Down -2 Email-Worm.Win32.NetSky.t Trojan.generic 9.61
4. Up +2 Email-Worm.Win32.NetSky.aa Trojan.generic 8.26
5. New! New! Email-Worm.Win32.Warezov.oz Trojan.generic 6.20
6. Down -1 Worm.Win32.Feebs.gen Hidden Data Sending 4.60
7. No Change 0 Net-Worm.Win32.Mytob.c Trojan.generic 4.41
8. New! New! Email-Worm.Win32.Warezov.ov * 3.96
9. New! New! Email-Worm.Win32.Warezov.op * 3.45
10. Up +6 Email-Worm.Win32.Mydoom.l Trojan.generic 2.93
11. Return Return Email-Worm.Win32.Nyxem.e Trojan.generic 2.87
12. Down -2 Email-Worm.Win32.NetSky.b Trojan.generic 2.31
13. Down -2 Virus.Win32.Grum.a ** 1.70
14. Down -5 Email-Worm.Win32.Scano.gen Trojan.generic 1.65
15. Return Return Email-Worm.Win32.Warezov.do Trojan.generic 1.34
16. Down -4 Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.27
17. No Change 0 Exploit.Win32.IMG-WMF.y *** 1.22
18. Return Return Net-Worm.Win32.Mytob.u Worm.P2P.generic 1.17
19. Down -4 Email-Worm.Win32.NetSky.x Trojan.generic 1.16
20. Down -2 Net-Worm.Win32.Mytob.dam [Damaged] 0.98
Other malicious programs 11.40
* - Downloader, will give an error message if no file is available on the site.
** - PDM is not designed to detect classic viruses.
*** - WMF format file.

As expected, the traditional summer doldrums for virus epidemics are about to set in. In June 2007, the Top Twenty is led by some familiar names - and not just the typical veterans, but some real dinosaurs of the virus world.

After a long break, first place was again taken by the all-time leader of 2004 and 2005: the NetSky.q worm. Right on its heels is a worm from an equally old family, Bagle.gt. Meanwhile, NetSky.t, the leader in May, slipped very slightly down the table, ending up in third place.

Probably the most noteworthy event this month was the disappearance of May’s rabble-rouser, Sober.aa. This virus appeared after a six-month stint in the shadows, suddenly taking fourth place before disappearing again. Will we be seeing this family in our reports again? I suspect not.

In May, older worms reinforced their position and Sober.aa reappeared, squeezing out the young generation of dangerous Warezov worms. Nearly all of these worms disappeared from our reports last month, but they haven't given up yet. Just a month ago, we analyzed Agent.bgs, which came in eighth. This Trojan is designed to create Warezov botnets, and by the look of it, this botnet was behind the flood of new Warezov variants in June.

Three new variants made it into the top 10, with Warezov.oz ranking as high as fifth place. It's likely that we'll continue to see a long line of new variants from these unknown authors for a while to come. Computers that are infected by Warezov are generally used as spamming platforms.

The Zhelatin family of worms hasn't been able to keep up with Warezov. This is the second month in a row that there's been no mention of these worms in our rankings. Feebs and Scano are also slowly sliding down the table and could disappear at any time, just as Sober.aa did.

What are we left with? This month we have NetSky, Mytob, Bagle and Warezov. You could say that these four worm families have come to stay for a good long time, maybe even years (NetSky and Mytob already have a lengthy history). Just as Sober.aa disappeared, Nyxem.e reappeared. This worm is a big mystery. For a long time, it was the most common worm around, and then after disappearing from the Top Twenty, it resurfaced - and in leading positions. Then it disappeared again, and just when we had nearly forgotten it altogether, it's back again, this time in eleventh place.

The bottom half of the Top Twenty is unruly as usual. We are still seeing some older variants of Mytob and NetSky, and interesting new viruses are holding their own: examples are Virus.Win32.Grum.a, and Exploit.Win32.IMG-WMF.y. is still exploiting vulnerabilities in WMF files. This exploit has been used to spread certain Feebs variants.

Other malicious programs made up 11.40% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary

  • New: Email-Worm.Win32.Warezov.oz, Worm.Win32.Warezov.ov, and Worm.Win32.Warezov.op
  • Moved up: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Mydoom.l
  • Moved down: Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.b, Virus.Win32.Grum.a, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.dam
  • Re-entry: Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.Warezov.do, Net-Worm.Win32.Mytob.u