Malware reports

Virus Top Twenty for April 2004

Position Change in position Name Percentage by occurrence (%)
1 0 I-Worm.Netsky.b 36.42%
2 +3 I-Worm.Netsky.q 18.64%
3 new I-Worm.Netsky.t 12.32%
4 -2 I-Worm.Mydoom.a 5.92%
5 -3 I-Worm.Netsky.d 5.01%
6 new I-Worm.Netsky.aa 3.26%
7 -3 I-Worm.Mydoom.e 2.30%
8 new I-Worm.Netsky.r 2.15%
9 new I-Worm.Netsky.y 2.03%
10 -4 I-Worm.Swen 1.62%
11 -3 I-Worm.Mydoom.g 1.51%
12 -3 I-Worm.Netsky.c 1.13%
13 -3 I-Worm.Bagle.i 0.60%
14 new I-Worm.LovGate.w 0.59%
15 +2 I-Worm.Lentin.v 0.47%
16 new I-Worm.Netsky.m 0.46%
17 new I-Worm.Netsky.o 0,42%
18 -5 I-Worm.Klez.h 0.30%
19 -1 I-Worm.Mimail.a 0.26%
20 re-entry I-Worm.Dumaru.a 0.25%
Other malicious programs* 4.34%
* not included in the Top Twenty

April 2004 turned out to be a quiet month – relatively speaking. Relative, that is to March 2004, the worst month in computer virus history to date. In April, NetSky won in the new variants sweepstakes, versus Bagle in March. 6 new Netskys pushed Bagle.i down to a mere 13th place. In fact, it’s fair to say that Netsky seems to have won the virus war conducted so fiercely by the Bagle and Netsky authors in February and March.

However, he who laughs last, laughs best: the arrest of the 18-year old German coder claiming to be the authour of the Netsky worms may mean that Bagle still has a chance to have the last laugh in the virus wars. Not an optimistic scenario for the computing community, but certainly a possibility. In the meantime, not only did NetSky.b managed to retain first place in April, as well as March, but NetSky variants also took second and third place.

The Mydoom worms are continuing to slip in the ratings, both falling 3-4 places. We may see one or both disappear in the May ratings. Swen, one of last year’s favourites, is surprisingly enough still in the top 10. Sadly, this confirms the success of the social engineering implemented by the author – Swen arrives disguised as a ‘hot update’ from Microsoft and people are still falling for this trick.

It is interesting to note that Lentin.v, first detected in December 2003 is creeping up in the ratings, moving from 17th to 15th place. Lentin.v and the newcomer LovGate.w (in 14th place) demonstrate that classic propagation methods do still work.

Klez.h is simply amazing! The worm was detected exactly two years ago and has been in the top twenty ever since. We can only guess at how many computers have been infected over these two years, but the figure must by now be in the millions.

And finally, we have Dumaru and Mimail. Only the very first variants of both worms remain in the top twenty. NetSky has scored again, since NetSky removes Mimail variants and other viruses from infected systems.

This month other malicious programs made up a significant proportion of overall traffic. On the other hand, we registered only a little over 500 different types of malware, i.e. less than half the number detected in March.


New entries: 6 Netsky variants and LovGate.w

Moved up: Netsky.q and Lentin.v

Moved down: Mydoom.a, Netsky.d, Mydoom.e, Swen, Mydoom.g, Netsky.c, Bagle.i, Klez.h and Mimail.a

Virus Top Twenty for April 2004

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox