Virus Top Twenty for December 2007

02 Jan 2008
Virus News

Position Change in position Name Proactive Detection Flag Percentage
1 Return Return Email-Worm.Win32.NetSky.q Trojan.generic 20.03
2 New! New Trojan-Downloader.Win32.Diehard.dc Hidden object 11.64
3 New! New Email-Worm.Win32.Warezov.xd 9.42
4 New! New Trojan-Downloader.Win32.Diehard.db Hidden object 7.94
5 Down -5 Email-Worm.Win32.Scano.gen Trojan.generic 7.42
6 Return Return Email-Worm.Win32.Bagle.gt Trojan.generic 7.41
7 New! New Trojan-Downloader.Win32.Diehard.dd Hidden object 6.15
8 Return Return Email-Worm.Win32.NetSky.aa Trojan.generic 5.81
9 Down -5 Trojan-Spy.HTML.Fraud.ay 3.94
10 Return Return Email-Worm.Win32.Nyxem.e Trojan.generic 2.55
11 Return Return Email-Worm.Win32.NetSky.d Trojan.generic 2.29
12 Return Return Net-Worm.Win32.Mytob.bt Trojan.generic 1.88
13 Return Return Email-Worm.Win32.Mydoom.l Trojan.generic 1.69
14 New! New Email-Worm.Win32.Scano.bn Trojan.generic 1.62
15 Return Return Email-Worm.Win32.Bagle.gen Trojan.generic 1.59
16 Return Return Email-Worm.Win32.NetSky.y Trojan.generic 1.47
17 Return Return Email-Worm.Win32.Bagle.dx Trojan.generic 1.05
18 Down -10 Email-Worm.Win32.LovGate.w Trojan.generic 0.70
19 Down -14 Net-Worm.Win32.Mytob.c Trojan.generic 0.47
20 Down -19 Net-Worm.Win32.Mytob.t Worm.P2P.generic 0.46
Other malicious programs 4.47

At the end of the year, the mail traffic situation suddenly changed. In place of the traditional and somewhat dull domination of the rankings by old email worms, in December we encountered the explosive propagation of a new generation of programs. A new generation which are not worms.

It's true that first place this month is taken by the veteran NetSky.q worm. It returned with a leap and a bound from beyond the bottom of the rankings, having not figured in our November Top Twenty at all. It made up 20% of mail traffic – that's almost an epidemic, and it's unclear how a worm which has been in existence for almost 4 years, and which is known to all antivirus companies, has continued to survive and spread to the present day.

It's when we start looking down the rankings that things become much more interesting. Second, fourth and seventh place are all taken by variants of Trojan-Downloader.Win32.Diehard. The .dc modification first appeared on 21st December, but this very short period of time was enough for it to make it into second place. On some days in December it made up more than 80% of all malicious traffic in email!

A year ago, this tactic of mass mailing Trojan components made the Warezov family of worms very successful. It seems as though Warezov now has new competition – after all, the Trojans which are installed to victim machines while Diehard is running do exactly the same as Warezov: they can be used to send spam from infected computers.

Warezov, on the other hand, continues its decline. In December the latest modification of this family of worms, variant .xd, ended up in third place; the four new entrants alone would have been enough to draw conclusions about a revolution in our statistics. However, this isn't the end of the changes.

Bagle.gt, NetSky.aa, and Nyxem.e returned to the rankings. Effectively, out of the top ten places, eight are taken by new entrants. Only Scano.gen and Fraud.ay, which both dropped five places, have remained in the rankings since November.

The situation is the same in the rest of the rankings. There was one malicious program (Scano.bn) and six re-entries. By comparison, in November only four malicious programs managed to return to the rankings.

These trends threaten to provoke significant changes in mail traffic in the near future. Contrary to predictions, Trojan programs and phishing attacks are ending up near the top of the table more and more frequently. Classic email worms re-enter the rankings, then disappear again, creating a backdrop for the real battle which is taking place. And although these events are not on the same scale or as long lived as epidemics of previous years, they are no less dangerous.

Other malicious programs made up 4.47% of all malicious code in mail traffic, indicating that there is still a certain number of other worm and Trojan families in circulation.

Summary:

  1. New: Trojan-Downloader.Win32.Diehard.dc, Trojan-Downloader.Win32.Diehard.de, Trojan-Downloader.Win32.Diehard.dd, Email-Worm.Win32.Warezov.xd, Email-Worm.Win32.Scano.bn,
  2. Went down: Email-Worm.Win32.Scano.gen, Trojan-Spy.HTML.Fraud.ay, Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.c, Net-Worm.Win32.Mytob.t
  3. Re-entry: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.d, Net-Worm.Win32.Mytob.bt, Email-Worm.Win32.Mydoom.l , Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Bagle.dx