Our forecasts for September turned out not to be spot on. Trojan-Downloader.Win32.Agent.brk, which was spreading actively in August, didn't extend the botnet that it builds, and as a result, there's not a single Warezov variant in September's Top Twenty.
However, the authors of another email worm, Zhelatin (aka the Storm worm) stepped up their activity. Throughout August security companies provided regular reports and estimates on the scale of the botnet created by the worm. Some estimates were as high as 2 million infected computers around the world – indicating that a new epidemic was on the horizon. However, September was remarkably calm from this point of view. Either the numbers were erroneous, or the authors of Zhelatin have decided to take a break until law enforcement agencies around the world direct their attention elsewhere.
Netsky.q is once again in first place. This worm has finally achieved notoriety as the most widespread malicious program in the history of the Internet. Mydoom.a remains the leader in terms of numbers (this worm infected 8 out of every ten emails at the peak of the epidemic in January 2004) but Netsky is way out in front overall.
Keeping the leader company in the top five positions are other longtime residents of the rankings: Netsky.aa, Mydoom.l, Bagle.gt, and Nyxem.e, in a surprising comeback. This worm was first detected in January 2006, with the peak of the epidemic being in summer/ autumn of the same year. We've seen this worm disappear from the rankings many times, but somehow it always manages to stage a comeback and climb to near the top of the table.
Exploit.Win32.IMG.WMF.y has become slightly less common. Having risen seven places up the table in August, in September it fell five places. However, its main partner, the Womble worm, remains unshakeable in sixteenth place. It's almost inevitable that in October we will again see these two in the mail traffic rankings.
Feebs.gen and Scano.gen, both script worms, managed to effectively retain their positions: Feebs fell by a mere two places, and Scano managed to hang onto twelfth place (having risen five positions in August), indicating that these programs will continue to be active in the future.
The only newcomer to the rankings is a phishing attack on PayPal customers: Trojan-Spy.HTML.Paylap.bg. The first examples of this phishing email were detected back in January 2005. And after two and a half years, some unknown malicious users have decided to breathe new life into this old approach, but not terribly successfully. Kaspersky® Anti-Virus detected this mass-mailing without the need for new signatures, simply using the old records from 2005.
Other malicious programs made up 8.92% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.
- New: Trojan-Spy.HTML.Paylap.bg
- Went up: Email-Worm.Win32.NetSky.aa, Net-Worm.Win32.Mydoom.l, Net-Worm.Win32.Mytob.dam
- Went down: Email-Worm.Win32.Bagle.gt, Net-Worm.Win32.Mytob.c, Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.t, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.Mytob.t, Email-Worm.Win32.Mytob.u
- Re-entry: Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.d, Email-Worm.Win32.Mydoom.e, Email-Worm.Win32.NetSky.y