Virus Top Twenty for June 2004

02 Jul 2004
Virus News

Kaspersky Lab presents the Top Twenty for June 2004

Position Change in position Name Percentage by occurrence
1 new I-Worm.Zafi.b 33.97%
2 -1 I-Worm.Netsky.aa 18.44%
3 -1 I-Worm.Netsky.b 16.76%
4 -1 I-Worm.Netsky.q 5.38%
5 no change I-Worm.Bagle.z 5.04%
6 no change I-Worm.NetSky.d 2.78%
7 -3 I-Worm.NetSky.y 2.38%
8 -1 I-Worm.LovGate.w 1.89%
9 -1 I-Worm.NetSky.t 1.57%
10 no change I-Worm.Mydoom.e 0.66%
11 +3 I-Worm.NetSky.r 0.64%
12 -3 I-Worm.Swen 0.64%
13 no change I-Worm.NetSky.c 0.56%
14 -3 I-Worm.Mydoom.g 0.53%
15 -3 I-Worm.NetSky.o 0.51%
16 -1 I-Worm.Bagle.y 0.50%
17 +1 EXPLOIT.HTML.ObjData 0.43%
18 -2 I-Worm.Sober.g 0.42%
19 re-entry I-Worm.Netsky.z 0.33%
20 re-entry I-Worm.NetSky.m 0.27%
Other malicious programs (not in the Top 20) 6.31%

June 2004 has probably turned out to be the quietest month this year : so far. It's hard to tell why: maybe virus writers have been lying low due to arrests of coders worldwide or maybe antivirus vendors have succeeded in clearing up the aftermath of previous outbreaks. In any case, we only have one new entrant in the top twenty this month. Zafi.b

I-Worm.Zafi.b was written in Hungary and spread rapidly throughout Europe leaving the NetSky family in the dust. The most likely explanation for Zafi's success lies in the clever social engineering techniques the senders used. The worm arrived in emails written in 18 different languages - depending on the IP address of the recipients. The actual texts were not very original - the usual fake warning from email providers or offers to view interesting photos.

The past two months have seen a successful crackdown on cyber crime - almost 10 coders were arrested in different countries. With any luck, we should see the arrest of Zafi's author sometime soon.

The rest of the June top twenty is almost identical to May's hit parade. Some email worms lost or gained a few points, but many remained in the exact same place (a detailed analysis is available in earlier Top 20 lists).

It is worth noting that Exploit.HTML.ObjData has gained strength, whereas Klez.h, a classic network worm, has finally disappeared from the list after a record breaking two-year stint.

However, the calm before the storm was disturbed by a slew of backdoor-worms - Internet worms with spy features. The LSASS vulnerability that Sasser underscored served as a catalyst for this trend. Hundreds of malicious programs are now exploiting this vulnerability shifting the paradigm of virus propagation from email to the Internet via attacks on open ports.

Other malware continued to make up a significant proportion of overall virus traffic in the Internet this month with almost 300 different viruses detected.

Summary

new virusesI-Worm.Zafi.b
moved up:NetSky.r, Exploit.HTML.ObjData
moved downNetSky.aa, NetSky.b, NetSky.q, NetSky.y, LovGate.w, Netsky.t, Swen, Mydoom.g, NetSky.o, Bagle.y, and Sober.g
no changeBagle.z, NetSky.d, Mydoom.e, Netsky.c
returnedNetSky.z, NetSky.m