Virus Top Twenty for November 2007

05 Dec 2007
Virus News

Position Change in position Name Proactive Detection Flag Percentage
1 +12 Email-Worm.Win32.Scano.gen Trojan.generic 16.03
2 +12 Net-Worm.Win32.Mytob.t Worm.P2P.generic 9.42
3 +8 Email-Worm.Win32.NetSky.x Trojan.generic 6.45
4 -2 Trojan-Spy.HTML.Fraud.ay <Not detected> (phishing email) 6.28
5 +5 Net-Worm.Win32.Mytob.c Trojan.generic 5.95
6 +13 Exploit.Win32.IMG-WMF.y <Not detected> (WMF exploit) 5.95
7 Return Email-Worm.Win32.Warezov.pk <Not detected> (downloader) 5.79
8 +9 Email-Worm.Win32.LovGate.w Trojan.generic 5.45
9 New Email-Worm.win32.Warezov.um <Not detected> (downloader) 5.12
10 -3 Email-Worm.Win32.NetSky.t Trojan.generic 3.64
11 +7 Net-Worm.Win32.Mytob.dam <Not detected> (damaged files) 3.47
12 Return Email-Worm.Win32.Womble.a Trojan.generic 3.31
13 +3 Email-Worm.Win32.NetSky.b Trojan.generic 2.15
14 Return Net-Worm.Win32.Mytob.j Worm.P2P.generic 1.98
15 Return Net-Worm.Win32.Mytob.r Trojan.generic 1.65
16 -12 Worm.Win32.Feebs.gen Trojan.generic 1.32
17 New Trojan-Downloader.Win32.Agent.ezm Hidden object 1.32
18 New Trojan-Spy.Win32.Keylogger.rp Hidden object 1.32
19 New Net-Worm.Win32.Mytob.fm Worm.P2P.generic 1.16
20 New Trojan.Win32.Pakes.bpn Hidden object 0.99
Other malicious programs 11.25

Although the malicious programs leading November's 2007 Email Top Twenty have changed, the data once again highlights the absence of any serious epidemics in mail traffic.

There's been a sudden change to the leading three malicious programs, caused by Scano.gen's rocketing twelve places up the table together with the Mytob.t (up 12 places) and NetSky.x (up 8 places) worms. This change simply reflects the insignificant number of malicious programs which are actually spreading via mail traffic.

The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.

There's only one program in this month's Top Twenty which barely changed its position, and that's Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It's not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers.

In November, the notorious exploit which used vulnerabilities in Adobe products disappeared from the ratings. Among the leaders of the October Top Twenty was an exploit targeting a vulnerability in Adobe products. However, this month's data shows that modifications of this program, (a malicious PDF file which acts as a downloader) have disappeared just as quickly as they appeared.

However, another exploit, IMG-WMF.y, set a record this month, on the eve of its second anniversary. This program gained the most positions, rising thirteen places to sixth place overall. This had the side effect of causing the Womble.a, a worm linked with the exploit, to return to the Top Twenty.

There were a relatively large number of returns to the rankings in November: four at once, including Warezov.pk, which ended up in seventh place. Add the five new entries (the most 'successful' being Warezov.um, which entered the rankings in ninth place) and the rise of LovGate.w by nine places after its re-entry in October, and the November Top Twenty starts to look rather unusual. On one hand, all the old familiar worm families are represented: NetSky, Mydoom, Bagle, Feebs, Nyxem and Scano. On the other hand, the presence of new Trojan-Spy and Trojan-Downloader programs makes this month's statistics unusual. It's likely that in the coming months the situation will continue to evolve along similar lines, with the upper part of the table being occupied by email worms, as is traditional, and the lower positions being taken by Trojan programs and exploits.

Other malicious programs made up just over 11.25% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary:

  1. New: Email-Worm.Win32.Warezov.um, Trojan-Downloader.Win32.Agent.ezm, Trojan-Spy.Win32.Keylogger.rp, Net-Worm.Win32.Mytob.fm, Trojan.Win32.Pakes.bpn
  2. Went up: Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.c, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.dam, Email-Worm.Win32.NetSky.b,
  3. Went down: Trojan-Spy.HTML.Fraud.ay, Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen
  4. Re-entry: Email-Worm.Win32.Warezov.pk, Email-Worm.Win32.Womble.a, Net-Worm.Win32.Mytob.j, Net-Worm.Win32.Mytob.r