|Position||Change in position||Name||Proactive Detection Flag*||Percentage|
|5.|| Return||Email-Worm.Win32.Bagle.gen||Trojan.generic +
|6.|| New!||Trojan-Downloader.Win32.Small.dam||Trojan.generic +
|8.|| New!||Trojan-Downloader.Win32.Small.ciw||Trojan.generic +
|10.|| Return||Email-Worm.Win32.Mydoom.l||Trojan.generic +
|14.|| Return||Worm.Win32.Feebs.gen||Hidden Data Sending||1,12|
|15.|| New!||Trojan-Proxy.Win32.Lager.dp||Trojan.generic +
|17.|| -2||Email-Worm.Win32.Warezov.do||Trojan.generic +
|20.|| -3||Exploit.Win32.IMG-WMF.y||Data Execution +
|Other malicious programs||3,99|
|* — Starting from this year, our Top 20 charts include information on alerts displayed by the proactive defense technology. A proactive defense module is currently implemented in Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0. The module proactively detects unknown IT threats based on their behavior rather than signatures and alerts the user of any potential danger.|
When Bagle.gt appeared in our Top Twenty for December 2006, we believed that this might indicate an intensification of the struggle between virus writers to gain control of users' computers. Why? The end of 2006 was notable for the steady evolution of Warezov, another worm, which so far has more than 300 variants. Warezov and Bagle are in direct competition with each other: they both harvest databases containing email addresses, and make it possible to send spam via the infected machines. This type of business is extremely profitable, so the authors of Bagle could not fail to react to the appearance of a competitor. In December Bagle.gt took fifth place, and has since risen to first place. It currently makes up nearly 30% of mail traffic, showing that it will probably continue to cause problems for Internet users for some time to come.
For the moment at least, all Warezov variants are being beaten back by Bagle and other malicious programs. This is supported by the fact that only Warezov.do has remained in the ratings, and in seventeenth place at that. February will show whether or not Warezov has been dealt a mortal blow; it is, of course, possible, that we have not heard the last of this worm.
Usually when the viruses at the top of the ratings change places, the rest of the Top Twenty also undergoes a reshuffle in terms of new malicious programs and returnees. The newcomers in January were very interesting.
Most significant are the programs occupying sixth and eighth place in the rankings: Trojan-Downloader.Win32.Small.dam and .ciw. In spite of the fact that they have different variant names, these are effectively one and the same Trojan - the 'storm worm' which was widely written about by the media in January. This worm spreads via the Internet as an attachment to messages, allegedly bringing news of the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. This piece of malware was initially thought to be a new variant of Warezov. However, detailed analysis showed that the program was a totally new family which appeared to be of Asian origin. It may be that there will now be a third player joining the Bagle-Warezov contest. Incidentally, from February onwards we will categorize programs from this family as Email-Worm.Win32.Zhelatin, and we will be tracking its activity.
One of the numerous Mytob variants, Mytob.bt, comes in at thirteenth place. It has been circulating on the Internet for a while now, but has only just managed to make it into our rankings. Somewhat more interesting is fifteenth place, occupied by a Trojan program: Trojan-Proxy.Win32.Lager.dp. As this program is not a worm, and therefore unable to propagate on its own, the fact that it has managed to reach fifteenth place shows that it was spammed on a wide scale. And once again, Lager.dp confirms that virus writers want to use victim machines as spamming platforms - the Trojan functions as an email proxy server.
Given all the evidence above we can say for certain that spam will be on the increase in February 2007.
Other malicious programs made up a small - 3.99% - percentage of all malicious programs intercepted in mail traffic.