Malware reports

Virus Top 20 for November 2007

Position Change in position Name Proactive Detection Flag Percentage
Email-Worm.Win32.Scano.gen Trojan.generic 16.03
Net-Worm.Win32.Mytob.t Worm.P2P.generic 9.42
Email-Worm.Win32.NetSky.x Trojan.generic 6.45
Trojan-Spy.HTML.Fraud.ay (phishing email) 6.28
Net-Worm.Win32.Mytob.c Trojan.generic 5.95
Exploit.Win32.IMG-WMF.y (WMF exploit) 5.95
Return (downloader) 5.79
8 +9 Email-Worm.Win32.LovGate.w Trojan.generic 5.45
9 New (downloader) 5.12
Email-Worm.Win32.NetSky.t Trojan.generic 3.64
11 +7 Net-Worm.Win32.Mytob.dam (damaged files) 3.47
Email-Worm.Win32.Womble.a Trojan.generic 3.31
13 +3 Email-Worm.Win32.NetSky.b Trojan.generic 2.15
Net-Worm.Win32.Mytob.j Worm.P2P.generic 1.98
Net-Worm.Win32.Mytob.r Trojan.generic 1.65
Worm.Win32.Feebs.gen Trojan.generic 1.32
Trojan-Downloader.Win32.Agent.ezm Hidden object 1.32
Trojan-Spy.Win32.Keylogger.rp Hidden object 1.32
New Worm.P2P.generic 1.16
Trojan.Win32.Pakes.bpn Hidden object 0.99
Other malicious programs 11.25


Although the malicious programs leading November’s 2007 Email Top Twenty have changed, the data once again highlights the absence of any serious epidemics in mail traffic.

There’s been a sudden change to the leading three malicious programs, caused by Scano.gen’s rocketing twelve places up the table together with the Mytob.t (up 12 places) and NetSky.x (up 8 places) worms. This change simply reflects the insignificant number of malicious programs which are actually spreading via mail traffic.

The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.

There’s only one program in this month’s Top Twenty which barely changed its position, and that’s Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It’s not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers.

In November, the notorious exploit which used vulnerabilities in Adobe products disappeared from the ratings. Among the leaders of the October Top Twenty was an exploit targeting a vulnerability in Adobe products. However, this month’s data shows that modifications of this program, (a malicious PDF file which acts as a downloader) have disappeared just as quickly as they appeared.

However, another exploit, IMG-WMF.y, set a record this month, on the eve of its second anniversary. This program gained the most positions, rising thirteen places to sixth place overall. This had the side effect of causing the Womble.a, a worm linked with the exploit, to return to the Top Twenty.

There were a relatively large number of returns to the rankings in November: four at once, including, which ended up in seventh place. Add the five new entries (the most ‘successful’ being, which entered the rankings in ninth place) and the rise of LovGate.w by nine places after its re-entry in October, and the November Top Twenty starts to look rather unusual. On one hand, all the old familiar worm families are represented: NetSky, Mydoom, Bagle, Feebs, Nyxem and Scano. On the other hand, the presence of new Trojan-Spy and Trojan-Downloader programs makes this month’s statistics unusual. It’s likely that in the coming months the situation will continue to evolve along similar lines, with the upper part of the table being occupied by email worms, as is traditional, and the lower positions being taken by Trojan programs and exploits.

Other malicious programs made up just over 11.25% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.


  1. New:, Trojan-Downloader.Win32.Agent.ezm, Trojan-Spy.Win32.Keylogger.rp,, Trojan.Win32.Pakes.bpn
  2. Went up: Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.c, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.dam, Email-Worm.Win32.NetSky.b,
  3. Went down: Trojan-Spy.HTML.Fraud.ay, Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen
  4. Re-entry:, Email-Worm.Win32.Womble.a, Net-Worm.Win32.Mytob.j, Net-Worm.Win32.Mytob.r

Virus Top 20 for November 2007

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox