Virus Top 20 for November 2007

Position Change in position Name Proactive Detection Flag Percentage
Email-Worm.Win32.Scano.gen Trojan.generic 16.03
Net-Worm.Win32.Mytob.t Worm.P2P.generic 9.42
Email-Worm.Win32.NetSky.x Trojan.generic 6.45
Trojan-Spy.HTML.Fraud.ay (phishing email) 6.28
Net-Worm.Win32.Mytob.c Trojan.generic 5.95
Exploit.Win32.IMG-WMF.y (WMF exploit) 5.95
Return (downloader) 5.79
8 +9 Email-Worm.Win32.LovGate.w Trojan.generic 5.45
9 New (downloader) 5.12
Email-Worm.Win32.NetSky.t Trojan.generic 3.64
11 +7 Net-Worm.Win32.Mytob.dam (damaged files) 3.47
Email-Worm.Win32.Womble.a Trojan.generic 3.31
13 +3 Email-Worm.Win32.NetSky.b Trojan.generic 2.15
Net-Worm.Win32.Mytob.j Worm.P2P.generic 1.98
Net-Worm.Win32.Mytob.r Trojan.generic 1.65
Worm.Win32.Feebs.gen Trojan.generic 1.32
Trojan-Downloader.Win32.Agent.ezm Hidden object 1.32
Trojan-Spy.Win32.Keylogger.rp Hidden object 1.32
New Worm.P2P.generic 1.16
Trojan.Win32.Pakes.bpn Hidden object 0.99
Other malicious programs 11.25


Although the malicious programs leading November’s 2007 Email Top Twenty have changed, the data once again highlights the absence of any serious epidemics in mail traffic.

There’s been a sudden change to the leading three malicious programs, caused by Scano.gen’s rocketing twelve places up the table together with the Mytob.t (up 12 places) and NetSky.x (up 8 places) worms. This change simply reflects the insignificant number of malicious programs which are actually spreading via mail traffic.

The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.

There’s only one program in this month’s Top Twenty which barely changed its position, and that’s Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It’s not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers.

In November, the notorious exploit which used vulnerabilities in Adobe products disappeared from the ratings. Among the leaders of the October Top Twenty was an exploit targeting a vulnerability in Adobe products. However, this month’s data shows that modifications of this program, (a malicious PDF file which acts as a downloader) have disappeared just as quickly as they appeared.

However, another exploit, IMG-WMF.y, set a record this month, on the eve of its second anniversary. This program gained the most positions, rising thirteen places to sixth place overall. This had the side effect of causing the Womble.a, a worm linked with the exploit, to return to the Top Twenty.

There were a relatively large number of returns to the rankings in November: four at once, including, which ended up in seventh place. Add the five new entries (the most ‘successful’ being, which entered the rankings in ninth place) and the rise of LovGate.w by nine places after its re-entry in October, and the November Top Twenty starts to look rather unusual. On one hand, all the old familiar worm families are represented: NetSky, Mydoom, Bagle, Feebs, Nyxem and Scano. On the other hand, the presence of new Trojan-Spy and Trojan-Downloader programs makes this month’s statistics unusual. It’s likely that in the coming months the situation will continue to evolve along similar lines, with the upper part of the table being occupied by email worms, as is traditional, and the lower positions being taken by Trojan programs and exploits.

Other malicious programs made up just over 11.25% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.


  1. New:, Trojan-Downloader.Win32.Agent.ezm, Trojan-Spy.Win32.Keylogger.rp,, Trojan.Win32.Pakes.bpn
  2. Went up: Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.c, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.dam, Email-Worm.Win32.NetSky.b,
  3. Went down: Trojan-Spy.HTML.Fraud.ay, Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen
  4. Re-entry:, Email-Worm.Win32.Womble.a, Net-Worm.Win32.Mytob.j, Net-Worm.Win32.Mytob.r

Virus Top 20 for November 2007

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox