Malware reports

Virus Top 20 for June 2008

Table of Contents

Position Change in position Name Proactive Detection Flag Percentage
1. No Change
Email-Worm.Win32.NetSky.q Trojan.generic 34.15
2. Up
Email-Worm.Win32.Nyxem.e Trojan.generic 13.16
3. Down
Email-Worm.Win32.NetSky.y Trojan.generic 8.20
4. Up
Net-Worm.Win32.Mytob.t Worm.P2P.generic 5.40
5. Down
Email-Worm.Win32.Scano.gen Trojan.generic 3.89
6. Down
Email-Worm.Win32.NetSky.d Trojan.generic 3.62
7. No Change
Email-Worm.Win32.NetSky.aa Trojan.generic 3.01
8. Return
Email-Worm.Win32.Mydoom.m Trojan.generic 2.95
9. Up
Email-Worm.Win32.Mydoom.l Worm.P2P.generic 2.62
10. Up
Net-Worm.Win32.Mytob.c Trojan.generic 2.48
11. Down
Email-Worm.Win32.NetSky.x Trojan.generic 2.45
12. Down
-3 Trojan.generic 2.42
13. Up
Email-Worm.Win32.NetSky.t Trojan.generic 2.14
14. Down
Email-Worm.Win32.Bagle.gen Trojan.generic 1.46
15. Down
Email-Worm.Win32.NetSky.b Trojan.generic 1.02
16. New!
Net-Worm.Win32.Nimda Invader 0.93
17. New!
New! Invader 0.91
18. Down
Net-Worm.Win32.Mytob.u Trojan.generic 0.67
19. New!
Exploit.Win32.IMG-WMF.y (WMF exploit) 0.65
20. New!
Email-Worm.Win32.LovGate.w Trojan.generic 0.58
Other Malicious Programs 7.29

Summer vacation is in full swing. As a result, changes in the statistics for malicious programs in mail traffic are relatively small. Netsky and Nyxem, the long-standing leaders of the Top Twenty, have merely shifted their positions slightly.

The only meaningful change in the rankings is that Nimda, an old worm which first appeared back in 2001, has resurfaced. Nimda is a versatile worm that spreads not only via email, but also across network drives on local area networks. It also attempts to attack IIS servers on the network. This is a nasty piece of malicious code: it leaves the computer wide open to anyone by adding a Guest user to the Administrators group and making local disks accessible by other computers on the network.

It is also worth mentioning a newcomer to the rankings: Exploit.Win32.IMG-WMF.y. Exploits being sent by email pose a serious threat to users, as some email clients display media content without first prompting the user. This exposes the computer to automatic infection. The user doesn’t need to give permission for the attachment to be saved or run – the malicious code will execute automatically when the user views the message.

Other malicious programs made up a significant 7.29% of all malicious code found in mail traffic in June.

The Top Twenty countries which acted as sources of infected emails in June are shown below:

Position Change Country Percentage
1 No Change
United States 18.95
2 Up
South Korea 7.97
3 Up
China 5.79
4 No Change
Spain 5.44
5 Up
Brazil 4.97
6 Up
Russia 4.41
7 Up
United Kingdom 4.28
8 Down
Germany 4.28
9 Down
France 3.86
10 Down
Poland 2.71
11 Down
India 2.65
12 Down
Italy 2.65
13 No Change
Japan 2.00
14 Up
Argentina 1.97
15 Down
Isreal 1.89
16 No Change
Turkey 1.49
17 Down
Canada 1.31
18 Down
The Netherlands 1.17
19 Down
Australia 1.16
20 New!
Ukraine 1.12
Other Countries 19.95


  • New: Net-Worm.Win32.Nimda,, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.LovGate.w.
  • Moved up: Email-Worm.Win32.Nyxem.e, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.Mydoom.l, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.t.
  • Moved down: Email-Worm.Win32.NetSky.y, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.d, Email-Worm.Win32.NetSky.x,, Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.u.
  • Returned: Email-Worm.Win32.Mydoom.m.
  • No change: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa.

Virus Top 20 for June 2008

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox