Malware reports

Virus Top 20 for April 2008

Position Change in position Name Proactive Detection Flag Percentage
1. No Change
0
Email-Worm.Win32.NetSky.q Trojan.generic 40.58
2. Up
+1
Email-Worm.Win32.NetSky.d Trojan.generic 8.18
3. Up
+6
Email-Worm.Win32.NetSky.y Trojan.generic 7.62
4. Up
+3
Email-Worm.Win32.Bagle.gt Trojan.generic 6.64
5. Up
+1
Email-Worm.Win32.Scano.gen Trojan.generic 6.47
6. Up
+2
Email-Worm.Win32.NetSky.aa Trojan.generic 5.81
7. New!
New!
Trojan-Downloader.Win32.Agent.ica downloader 3.08
8. Down
-5
Email-Worm.Win32.Nyxem.e Trojan.generic 3.01
9. New!
New!
Net-Worm.Win32.Mytob.x Worm.P2P.generic 2.94
10. New!
New!
Net-Worm.Win32.Mytob.r Worm.P2P.generic 2.68
11. Down
-1
Email-Worm.Win32.Bagle.gen Trojan.generic 1.73
12. Up
+3
Email-Worm.Win32.Scano.bn Trojan.generic 1.19
13. Down
-2
Email-Worm.Win32.Mydoom.l Worm.P2P.generic 1.07
14. New!
New!
Net-Worm.Win32.Mytob.bk Worm.P2P.generic 0.91
15. Down
-13
Email-Worm.Win32.Mydoom.m Trojan.generic 0.89
16. Up
+1
Email-Worm.Win32.NetSky.c Trojan.generic 0.70
17. Return
Return
Net-Worm.Win32.Mytob.c Trojan.generic 0.69
18. No Change
0
Email-Worm.Win32.NetSky.t Trojan.generic 0.62
19. New!
New!
Email-Worm.Win32.Bagle.dx Trojan.generic 0.47
20. New!
New!
Email-Worm.Win32.NetSky.ac Trojan.generic 0.47
Other Malicious Programs 4.06

In April 2008, malicious code in mail traffic underwent significant changes in comparison to the previous month. Net-Womr.Win32.Mytob.t and Email-Worm.Win32.Mydoom.m, which had been pushing their way to the top by jumping ten places last month suddenly appeared to run out of steam: one slid back down the rankings, while the other disappeared off the bottom of the table altogether. At the same time, new malicious programs appeared in the Top Twenty, something which didn’t happen in March.

The most recent mass mailing of the Diehard Trojan took place in February, and it seems that the authors are taking a break from spreading their creation widely. Our suppositions in March that this Trojan might end up lying low, rather than actively attacking, seem to be borne out by the absence of the program from this month’s Top Twenty.

Once again, it’s worms that have been around for some time which are out in full strength, with a range of modifications of Email-Worm.Win32.Netsky taking up seven out of twenty places in the rankings. This could be seen as a certain measure of success for the virus writers, especially if you consider that these modifications made up almost 64% of all infected mail traffic in April.

Trojan-Downloader.Win32.Small.hsl, which appeared in February and which rose to fifth place, has disappeared, being replaced by Trojan-Downloader.Win32.Agent.ica. However, the displacement of one Trojan-Downloader program by another is mere coincidence: the two programs have nothing in common, being constructed in completely different ways and created using different versions of Microsoft Visual Studio.

Neither Zhelatin (a.k.a. the Storm Worm) nor Warezov, which vanished from the rankings in February, have returned. It seems their authors may have decided against spreading their creations by using email attachments.

Overall, the picture created by the April 2008 statistics once again confirms the fact that new malicious programs are not being sent as attachments to emails. This tried and tested method, which is very resource intensive (at least when carrying out the initial mass mailing) is mainly used by the veteran malicious programs – those with email worm functionality. It’s only rarely that we see Trojan-Downloader programs that put in a brief appearance in the Top Twenty; this is probably the result of mass mailings being conducted by malicious users who are new to the scene.

Overall, malicious programs made up 0.95% of all mail traffic scanned by Kaspersky Lab systems in April 2008. Other malicious programs made up a certain percentage (4.06%) of all malicious code found in mail traffic, indicating that a number of other worms and Trojans are currently in active circulation.

The Top Twenty countries which acted as sources of infected emails in March are shown below:

Position Change Country Percentage
1 No Change
0
the US 18.50
2 Up
+2
Korea, Republic of 9.99
3 Up
+4
Spain 8.12
4 Down
-2
China 5.30
5 Up
+7
Poland 5.11
6 Up
+3
France 4.99
7 Up
+1
Brazil 4.28
8 Down
-2
Germany 3.98
9 Down
-4
UK 3.47
10 No Change
0
Italy 3.05
11 New!
New!
Israil 2.31
12 Down
-9
India 2.25
13 Down
-2
Japan 2.07
14 New!
New!
Argentine 1.63
15 No Change
0
Turkey 1.36
16 Down
-2
Australia 1.16
17 Up
+2
Netherlands 1.14
18 New!
New!
Rumania 1.11
19 Down
-2
Canada 1.06
20 Down
-7
Russia 0.97
Other countries 18.15

Summary:

  • Went up:
    Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.bn, Email-Worm.Win32.NetSky.c

  • Went down:
    Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Mydoom.m,

  • Re-entry:
    Net-Worm.Win32.Mytob.c

  • No change:
    Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.t

Virus Top 20 for April 2008

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox