Malware reports

Virus Top 20 for November 2007

Position Change in position Name Proactive Detection Flag Percentage
Email-Worm.Win32.Scano.gen Trojan.generic 16.03
Net-Worm.Win32.Mytob.t Worm.P2P.generic 9.42
Email-Worm.Win32.NetSky.x Trojan.generic 6.45
Trojan-Spy.HTML.Fraud.ay (phishing email) 6.28
Net-Worm.Win32.Mytob.c Trojan.generic 5.95
Exploit.Win32.IMG-WMF.y (WMF exploit) 5.95
Return (downloader) 5.79
8 +9 Email-Worm.Win32.LovGate.w Trojan.generic 5.45
9 New (downloader) 5.12
Email-Worm.Win32.NetSky.t Trojan.generic 3.64
11 +7 Net-Worm.Win32.Mytob.dam (damaged files) 3.47
Email-Worm.Win32.Womble.a Trojan.generic 3.31
13 +3 Email-Worm.Win32.NetSky.b Trojan.generic 2.15
Net-Worm.Win32.Mytob.j Worm.P2P.generic 1.98
Net-Worm.Win32.Mytob.r Trojan.generic 1.65
Worm.Win32.Feebs.gen Trojan.generic 1.32
Trojan-Downloader.Win32.Agent.ezm Hidden object 1.32
Trojan-Spy.Win32.Keylogger.rp Hidden object 1.32
New Worm.P2P.generic 1.16
Trojan.Win32.Pakes.bpn Hidden object 0.99
Other malicious programs 11.25


Although the malicious programs leading November’s 2007 Email Top Twenty have changed, the data once again highlights the absence of any serious epidemics in mail traffic.

There’s been a sudden change to the leading three malicious programs, caused by Scano.gen’s rocketing twelve places up the table together with the Mytob.t (up 12 places) and NetSky.x (up 8 places) worms. This change simply reflects the insignificant number of malicious programs which are actually spreading via mail traffic.

The volatility of the ratings is currently so marked that any malicious program which is in the ratings this month could either take first place next month, or disappear off the bottom end of the table.

There’s only one program in this month’s Top Twenty which barely changed its position, and that’s Trojan-Spy.HTML. Fraud.ay, a phishing attack. In November this program took fourth place, whereas last month it was in second place. The Trojan program targets users of Yandex.Dengi (the Yandex e-payment system). It’s not a particularly original piece of malicious code, and both antivirus programs and spam filters can detect it easily. Meanwhile, the fake sites which are part of the attack are detected by the anti-phishing modules in popular browsers.

In November, the notorious exploit which used vulnerabilities in Adobe products disappeared from the ratings. Among the leaders of the October Top Twenty was an exploit targeting a vulnerability in Adobe products. However, this month’s data shows that modifications of this program, (a malicious PDF file which acts as a downloader) have disappeared just as quickly as they appeared.

However, another exploit, IMG-WMF.y, set a record this month, on the eve of its second anniversary. This program gained the most positions, rising thirteen places to sixth place overall. This had the side effect of causing the Womble.a, a worm linked with the exploit, to return to the Top Twenty.

There were a relatively large number of returns to the rankings in November: four at once, including, which ended up in seventh place. Add the five new entries (the most ‘successful’ being, which entered the rankings in ninth place) and the rise of LovGate.w by nine places after its re-entry in October, and the November Top Twenty starts to look rather unusual. On one hand, all the old familiar worm families are represented: NetSky, Mydoom, Bagle, Feebs, Nyxem and Scano. On the other hand, the presence of new Trojan-Spy and Trojan-Downloader programs makes this month’s statistics unusual. It’s likely that in the coming months the situation will continue to evolve along similar lines, with the upper part of the table being occupied by email worms, as is traditional, and the lower positions being taken by Trojan programs and exploits.

Other malicious programs made up just over 11.25% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.


  1. New:, Trojan-Downloader.Win32.Agent.ezm, Trojan-Spy.Win32.Keylogger.rp,, Trojan.Win32.Pakes.bpn
  2. Went up: Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.NetSky.x, Net-Worm.Win32.Mytob.c, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.dam, Email-Worm.Win32.NetSky.b,
  3. Went down: Trojan-Spy.HTML.Fraud.ay, Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen
  4. Re-entry:, Email-Worm.Win32.Womble.a, Net-Worm.Win32.Mytob.j, Net-Worm.Win32.Mytob.r

Virus Top 20 for November 2007

Your email address will not be published. Required fields are marked *



Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox