Virus Top Twenty for June 2005

04 Jul 2005
Virus News

Position Change in position Name Percentage
1. No Change 0 Net-Worm.Win32.Mytob.c 19.55
2. No Change 0 Email-Worm.Win32.NetSky.q 11.50
3. Up +6 Email-Worm.Win32.Zafi.d 5.33
4. New! New Net-Worm.Win32.Mytob.be 4.68
5. Down -2 Email-Worm.Win32.NetSky.aa 4.60
6. New! New Net-Worm.Win32.Mytob.bk 4.02
7. Down -1 Email-Worm.Win32.LovGate.w 3.66
8. Down -4 Email-Worm.Win32.NetSky.b 3.31
9. Down -4 Email-Worm.Win32.Zafi.b 3.25
10. Up +8 Net-Worm.Win32.Mytob.ar 2.97
11. Down -1 Net-Worm.Win32.Mytob.q 2.67
12. Down -3 Net-Worm.Win32.Mytob.u 2.49
13. New! New Net-Worm.Win32.Mytob.bf 2.04
14. Up +2 Net-Worm.Win32.Mytob.au 2.04
15. Down -3 Net-Worm.Win32.Mytob.h 1.87
16. Down -3 Net-Worm.Win32.Mytob.t 1.85
17. Down -6 Email-Worm.Win32.Mydoom.l 1.55
18. New! New Net-Worm.Win32.Mytob.bi 1.48
19. New! New Net-Worm.Win32.Mytob.ba 1.47
20. New! New Net-Worm.Win32.Mytob.bd 1.39
Other malicious programs 18.28

Mytob. Mytob was flavor of the month in June. We had Mytob with worm and bot capabilities, Mytob without bot capabilities, Mytob packed with one, two or three packers and so forth. In short, Mytob variants dominated email traffic this month.

Mytob.c maintained the leading position it occupied in both April and May making NetSky.q, the worm which occupied first place the longest in 2004, unlikely to regain first place. Interestingly, both worms have lost points in terms of overall percentage of traffic: the losses are directly in proportion to the increase in the percentage of other malicious programs.

The endless Mytobs left so little space for other worms that all 6 newcomers to the ratings are members of this prolific family. Some of these new worms are simple worms, without botnet capability. This is a change from the recent trend where virus writers include botnet capability in most new worms.

Surprisingly, Zafi.d jumped from ninth to third place - the second largest increase in June. This unexpected surge does not fit into the general pattern of Mytob domination. On the other hand, Mytob.be, a new variant which took fourth place is entirely explicable given the plethora of Mytobs this month.

Lovgate – the worm that refuses to die - has been in the top ten for over a year. This is mostly due to a high rate of Lovgate infections in China, where many users lack adequate anti-virus protection. Mytob also has connections to Asia: it's reasonable, therefore, to assume that we will be seeing Mytobs in the ratings for many months to come.

Other facts worth noting in the June Top Twenty include Mytob.ar soaring from 18th place to 10th, and the complete disappearance of Bagle and Sober. The last Mydoom remaining in the ratings fell to 17th place, leading us to predict that Mydoom will follow Bagle and Sober into oblivion. This leaves only NetSky to represent the most dangerous worms from 2004 in the July ratings.

The share of malware detected in email traffic that did not make it into the Top Twenty has been increasing steadily all year: from 6.68% in January to 18.28% in June. This is partially due to the fact that malware writers are using individualized worms and Trojans to target specific user groups instead of relying mostly on mass mailings to infect random users.

Summary:

New Mytob.be, Mytob.bk, Mytob.bf, Mytob.bi, Mytob.ba, Mytob.bd
Moved up Zafi.d, Mytob.ar, Mytob.au
Moved down Netsky.aa, LovGate.w, Netsky.b, Zafi.b, Mytob.q, Mytob.u, Mytob.h, Mytob.t, Mydoom.l
No change Mytob.c, NetSky.q