Virus Top Twenty for March 2005

01 Apr 2005
Virus News

PositionChange in positionNamePercentage
1. +1 Email-Worm.Win32.NetSky.q 27.76
2. +5 Email-Worm.Win32.NetSky.aa 9.01
3. + 2 Email-Worm.Win32.NetSky.b8.84
4.NewNet-Worm.Win32.Mytob.c8.21
5. +7 Email-Worm.Win32.Lovgate.w4.48
6. -3 Email-Worm.Win32.Zafi.d 4.47
7. -6 Email-Worm.Win32.Zafi.b3.86
8. - Email-Worm.Win32.Mydoom.m 3.52
9. +4 Email-Worm.Win32.NetSky.d3.05
10. +1 Email-Worm.Win32.Mydoom.l2.77
11. -1 Email-Worm.Win32.NetSky.y 2.27
12. +2 Email-Worm.Win32.NetSky.x 1.58
13. +2 Email-Worm.Win32.NetSky.r1.44
14. +3 Email-Worm.Win32.NetSky.t1.32
15. +1 Email-Worm.Win32.Bagle.ai1.03
16. -10 Email-Worm.Win32.Bagle.at 1.00
17. - 13Email-Worm.Win32.Bagle.ay0.92
18. Re-entry Email-Worm.Win32.Lovgate.ae 0.91
19. New Trojan-Spy.HTML.Bankfraud.dq0.69
20. Re-entry Email-Worm.Win32.Bagle.gen0.59
Other malicious programs12.28

The situation that we've seen for the past few months continues, with Bagle, NetSky, Mydoom, Zafi and Lovgate competing with each other for places in our rankings. This month, our top three has changed again, with NetSky taking the top three places for the first time this year. And heading the chart is NetSky.q, the most widespread worm of 2004.

A surprise this month was the appearance of Mytob, a completely new family of worms. Malicious programs from this family are spreading actively, and Mytob.c, which was first detected on 4th March, is already in 4th place. This version is still spreading fast, and at the moment of writing, it's effectively heading the table. The other 15 versions of Mytob, in comparison with Mytob.c, are relatively inactive.

Analysis shows that source code from Mydoom.a was used to create Mytob. However, some changes were made: Mytob also propagates via the LSASS vulnerability in the same way that Sasser did. This means that the worm has two replication mechanisms, which makes it a dangerous opponent indeed. Lovgate.w still maintains a presence in our Top Twenty, continuing to move up and down the table - this month it jumped up 7 places. And Lovgate.ae, another representative of this family is also back in our rankings this month.

An interesting point this month is the fall of Zafi; in February, this worm occupied 1st and 3rd place, but in March it has slid down to 6th and 7th place. The Hungarian worm has never been so low in the ratings. This may be an indication that Zafi will gradually disappear from mail traffic, although NetSky and Mydoom are evidence of how long some of the older viruses can maintain their presence in the Internet.

As for the rest of March's Top Twenty, there are two other particular points of interest.

Firstly is the fact that Bagle is still moving down the rankings, with Bagle.at and Bagle.ay occupying 10th and 13th place respectively. These worms, which were up there with the leaders in February, seem to have been sapped of their strength. Attempts to use these worms to cause a global epidemic seem to have been in vain, perhaps because they were quickly blocked by antivirus companies and ISPs.

Still on the subject of Bagle, during one 24 hour period in March the authors of this worm launched more than 10 new variants in the Internet. However, none of these versions managed to provoke even an outbreak. We released a generic detection for all these worms in the middle of the month, Bagle.pac, which came in in 50th place, showing that these worms were making up a mere 0.12% of all mail traffic in March.

Secondly, as per tradition, Trojan-Spy.HTML is still occupying a place in the Top Twenty. These malicious programs are used for phishing attacks, stealing the confidential data of users of on-line banking systems. In February our Trojan-Spy was Smitfraud, targeting clients of Smith Barney, and in March its place was taken by Bankfraud.dq, which targeted users of Regions.com

This month a relatively large amount of other malicious programs were detected, making up 12.28% of malicious traffic intercepted. This shows that there are still a large number of worms and Trojan programs from other families still circulating.

Summary:

New Mytob.c, Bankfraud.dq
Moved up NetSky.q, NetSky.aa, NetSky.b, Lovgate.w, NetSky.d, Mydoom.l, NetSky.x, NetSky.r, NetSky.t, Bagle.ai
Moved down Zafi.d, Zafi.b, NetSky.y, Bagle.at, Bagle.ay
Re-appeared Mydoom.m
No change Bagle.gen, Lovgate.ae