Virus Top Twenty for April 2005

Our Top Twenty shows the event we’ve long been expecting has finally come to pass – the leading position is now occupied by Mytob. Mytob.c is one of many representatives of a family of network worms which first appeared in 2005. Mytob.c was initially detected on 4th March, and in less than two months has managed to push NetSky.q, the 2004 leader, out of first place. In fact, Mytob.c had managed to do this by the end of March.

Since being detected, Mytob.c has demonstrated that it’s here to stay. It is based on the Mydoom.a source code, and spreads via email, but also incorporates the ability to replicate via the LSASS vulnerability. The name antivirus companies have given Mytob also reflects the fact that the worm has bot functionality: My(doom) + tob(‘bot’ reversed)

The fact that Mytob is able to replicate in two ways makes it difficult to stop it spreading quickly. This can only be done by detecting the worm and deleting it from mail traffic passing through major network nodes. Users should also install critical Windows updates which will close the LSASS vulnerability and thus prevent Mytob from spreading further.

It’s worrying that Mytob.c is not alone – the April Top Twenty includes another 5 representatives of this family. This month, therefore, Mytob is second only to NetSky, with its eight modifications in the Top Twenty. NetSky, however, took several months before figuring so strongly in the rankings, whereas Mytob achieved this in the course of just one month.

There’s no question that this family of worms will continue to appear over and over again in our statistics. Mytob’s authors remain active, and at the end of April were releasing a new modification of Mytob every two days. The new versions don’t differ significantly from each other; however, usually a different packing program is used in an attempt to prevent detection by the majority of anti-virus scanners.

Of course, Mytob wasn’t the only worm to appear in April 2005 – there were several small outbreaks caused by Sober and Bagle, but none of these made it into the Top Twenty. This was due to a variety of reasons, including errors in the program code, and the rapid reaction of antivirus companies to these latest threats.

All the other threats listed in the Top Twenty have been forced out of position by Mytob, all falling by several places except for Zafi.b; this was the only malicious program which strengthened its position, albeit by a single place. Mytob also meant that new versions of the many programs used in phishing attacks (Trojan-Spy.HTML) and Trojan Downloaders also failed to make it into the Top Twenty. This is a little surprising – these programs are still sent out on a regular basis. But it seems that the authors of such programs are now concentrating not on volume, but on specific targets: either attacking clients of a particular bank, or sending their creations to addresses in one domain only, such as .ua.

Malicious program not listed individually made up a significant portion of malicious programs intercepted this month – 13.02%. This clearly shows that a relatively large number of other worms and Trojan programs are still circulating, and can still pose a threat to unprotected machines.

Summary: