Malware reports

Virus Top Twenty and Review for January 2003

Kaspersky Labs presents a review of computer virus activity for January 2003.

The Top Twenty Most Widespread Malicious Programs

The percentage shown represents the percentage of registered incidences.

position virus percentage by occurrence
1 I-Worm.Klez 16.65%
2 I-Worm.Lentin 8.75%
3 I-Worm.Sobig 6.57%
4 I-Worm.Avron 6.55%
5 Macro.Word97.Thus 5.17%
6 I-Worm.Hybris 3.13%
7 I-Worm.Roron 2.46%
8 I-Worm.Tanatos 1.92%
9 <!–!–> Backdoor.NetDevil 1.25%
11 I-Worm.Magistr 0.95%
12 Macro.Word97.Marker 0.95%
13 Worm.Win32.Opasoft 0.79%
15 Win95.CIH 0.72%
16 <!–!–>Trojan.Spy.SCKeyLog 0.71%
17 Backdoor.Death 0.67%
18 <!–!–>VBS.Redlof 0.66%
19 Win32.Elkern 0.66%
20 Win32.FunLove 0.65%
*Other Dangerous Programs *38.87%

*not counted among the 20 most widespread

This rating of the most widespread malicious programs does not reflect the noise created by the network worm “Helkern” at the end of January. The reason for this is the standard method used to gather statistics (counting user reports and data from public access e-mail systems) does not yield precise enough information to generate accurate research statistics. Governmental and commercial organizations alike prefer to not publicize episodes such as worms penetrating their networks. Additionally, monitoring e-mail traffic simply does not help improve the situation, as “Helkern” does not use e-mail to spread itself. Alternative sources for data, so called “honeypots” for catching malicious packets, also don’t lend accurate data in terms of the actual number of computer infections. In the end, the means at our disposal are only empirical methods for defining the scale of epidemics and are not applicable for compiling monthly virus ratings.

The most pessimistic estimations have “Helkern” infecting approximately eighty thousand computers the world over. If to compare this indicator with the virus statistics of the Top Twenty list for January, it is safe to say that the “Helkern” worm actually took first place, provoking nearly 50% of all January virus incidences.

Most January infections were caused by network worms (77.19 %), programs that can spread via the Internet (e-mail, Web-services, Internet messengers, IRC channels, etc.). In second place are computer viruses (16.33) – especially prominent were Macro viruses. Trojan programs (6.49%) occupy the third position. The data shows a break in the trend started toward the end of 2002, when network worms experienced a percentage decline. Although, it is important to note that “Helkern” did not register in the source data for this review. If it were factored into the top twenty the entire picture would undoubtedly change and the share held by network worms would jump to a whopping 90%.

Virus Top Twenty and Review for January 2003

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox