Virus Top Twenty for February 2004

01 Mar 2004
Virus News

Kaspersky Lab presents the Virus Top Twenty for February 2004
PositionChangeNamePercentage by occurrence
1-I-Worm.Mydoom.a69.21%
2newI-Worm.Moodown.b18.68%
3-1I-Worm.Swen 3.20%
4newI-Worm.Mydoom.e 2.15%
5-1I-Worm.Sober.c1.92%
6+3I-Worm.Sobig.f0.82%
7-2I-Worm.Mimail.a 0.47%
8-1I-Worm.Klez.h0.44%
9+11I-Worm.Mimail.j0.30%
10newI-Worm.Mimail.c0.27%
11+8I-Worm.Lentin.j0.24%
12-9I-Worm.Lentin.g0.22%
13+2I-Worm.Dumaru.a0.19%
14-I-Worm.Lentin.m 0.17%
15newI-Worm.Netsky.c0.11%
16newI-Worm.Bagle.b0.10%
17newI-Worm.Mydoom.b 0.10%
18re-entryWin32.Funlove4070 0.10%
19-5Macro.Word97.Swatch.b 0.08%
20-10I-Worm.Tanatos.b0.07%
other malicious programs*1.16%
*not in the Top Twenty
History was made in February 2004, which turned out to be the most active month in computer virology for the past several years. There has never been such a large number of email worms active at the same time. First we had January's leader, Mydoom.a which stayed in first place. Even though the worm stopped propagating as of February 12, Mydoom.a retained its leading position due to the huge number of copies mailed before February 12 as well as the large number of infected machines with incorrect dates. Next we have some new entrants that will undoubtedly play a key role in March. There are six newcomers, which is very unusual, and they belong to four different categories. The most important newcomer is I-Worm.Moodown.b (NetSky.b) which the creator coded to disinfect machines infected by Mydoom.a, but also to interfere with antivirus programs. The second significant newcomer is Mydoom.e. Unlike Mydoom.a, this version deletes random MS Office documents. It is highly likely that this version was based on the original Mydoom. Our old 'friend' Mimail is now polymorphic and spreads as a polymorphic dropper. Mimail.q was the first version with this new feature and it immediately climbed to 10th position in the top twenty. The creator of Moodown (NetSky) seems to have been encouraged by the havoc wreaked by second version; he or she made some minor changes and released a third version. Moodown.c is only 15th in the ratings, but should aggravate users for quite some time to come. One of January's leaders, Bagle.a has left the ratings, but we do have Bagle.b to take its place. However, at the very tail end of February we also saw a slew of new Bagles: versions c through f. These versions did not make the top twenty, but we can be sure that they will cause trouble in March. The last newcomer in the top twenty is yet another version of Mydoom - Mydoom.b. It appeared at the end of January and needed all of February to make its presence felt. The other stars of the monthly ratings are old friends who move up and down the scale without leaving the top twenty. Swen and Sober.c refuse to yield to newer viruses and continue to hold their positions. Win32.FunLove.4070 has returned to the top twenty. The return of this file virus is easy to explain: it mostly arrives with email worms having infected the carrier files first.
Summary

New viruses:

Mydoom.b, Mydoom.e, Bagle.b, Moodown.b, Moodown.c and Mimail.q
Moved up:Sobig.f, Mimail.j, Dumaru.j and Dumaru.a
Moved down:Swen, Sober.c, Mimail.a, Klez.h, Tanatos.b, Lentin.m and Mimail.c
Returned:Win32.FunLove.4070