Virus Top Twenty for July 2007

01 Aug 2007
Virus News

PositionChange in positionNameProactive
Detection Flag
Percentage
1.New! NewEmail-Worm.Win32.Warezov.pknot detected – Downloader*22.72
2.Down -1Email-Worm.Win32.NetSky.qTrojan.generic14.22
3.Down -1Email-Worm.Win32.Bagle.gtTrojan.generic8.67
4.Down -1Email-Worm.Win32.NetSky.tTrojan.generic6.79
5.Up +1Worm.Win32.Feebs.genHidden Data Sending6.47
6.Down -2Email-Worm.Win32.NetSky.aaTrojan.generic6.22
7.No Change 0Net-Worm.Win32.Mytob.cTrojan.generic4.04
8.Up +2Email-Worm.Win32.Mydoom.lTrojan.generic3.57
9.Up +2Email-Worm.Win32.Nyxem.eTrojan.generic3.3
10.Up +7Exploit.Win32.IMG-WMF.y2.58
11.Up +1Email-Worm.Win32.NetSky.bTrojan.generic2.57
12.Up +7Email-Worm.Win32.NetSky.xTrojan.generic1.60
13.Up +3Net-Worm.Win32.Mytob.tWorm.P2P.generic1,53
14.Up +4Net-Worm.Win32.Mytob.uWorm.P2P.generic1,34
15.Return ReturnEmail-Worm.Win32.Mydoom.mTrojan.generic1,23
16.New! NewEmail-Worm.Win32.Womble.dTrojan.generic1.21
17.Return ReturnEmail-Worm.Win32.Scano.genTrojan.generic1.20
18.Return ReturnEmail-Worm.Win32.Zhelatin.dam[Damaged]1.00
19.Down -6Virus.Win32.Grum.anot detected – Virus***0.92
20.Return ReturnEmail-Worm.Win32.LovGate.wTrojan.generic0.62
Other malicious programs8.12
* — Downloader, results in an error if the file is missing from the site. ** — a file in the WMF graphics format.

*** — The PDM module is not intended for combating classic computer viruses

The activity of the botnet that was created in May via the Agent.bqs Trojan was only reaching its “design capacity” in June; by July it was in full swing. Another member of the Warezov family, which is distributed by this zombie network, reached the top position on the chart, accounting for 22% of the malicious code in mail traffic. Although there were 4 Warezov variants in our June rankings and only one on our July charts, this does not mean that the threat has abated. On the contrary, the top position achieved in July will be followed by more spam-and-virus mailings, which in a few months will probably culminate in another “Warezov madness” comparable to one that took place in October 2006, when we detected more than twenty new variants of the worm every day. Veterans of the virus scene, NetSky.q and .t, have each moved one position down, but in percentage terms their presence in mail traffic has remained almost at the same level as last month – 14% and 16% respectively. Bagle.gt has also moved one position down but remained one of the top three malicious programs. On the whole, despite the blast-off of Warezov.pk, which was first detected on June 26 and peaked in early July, the situation remains stable (it is actually quite rare for the rankings to be so stable, with Warezov.pk being one of only two newcomers to the Top Twenty). The conditions are not favorable for new global epidemics, so the main threat is posed by local attacks targeting users from individual countries. In general, in the top fifteen positions of the chart there was some shifting among old worms. The most significant growth in July (+7 positions) was demonstrated by Exploit.Win32.IMG-WMF.y. There is a good reason for this: the second newcomer in our ranking, the Womble.d mail worm, uses this exploit as one of its methods of spreading. This is a relatively old worm, “released” in September 2006, but it is only now that it has managed to spread noticeably. It is worth mentioning that Scano.gen and LovGate.w are back to our Top Twenty charts, though these worms are unlikely to make much of an impact in the coming months. Also noteworthy is the return appearance of the Zhelatin.dam variant, which may be an indication that this family is not going away any time soon. Other malicious programs made up 8.12% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary:

  • New: Email-Worm.Win32.Warezov.pk, Email-Worm.Win32.Womble.d
  • Moved up: Worm.Win32.Feebs.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Nyxem.e, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.t, Net-Worm.Win32.Mytob.u
  • Moved down: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.t, Email-Worm.Win32.NetSky.aa, Virus.Win32.Grum.a
  • Re-entry: Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.LovGate.w