Malware reports

Virus Top Twenty for April 2006

Position Change in position Name Percentage
1. No Change
0
Net-Worm.Win32.Mytob.c 26.37
2. No Change
0
Email-Worm.Win32.NetSky.t 9.00
3. No Change
0
Email-Worm.Win32.LovGate.w 8.22
4. Up
+3
Email-Worm.Win32.NetSky.q 5.47
5. Up
+8
Email-Worm.Win32.LovGate.ad 4.69
6. Down
-2
Email-Worm.Win32.NetSky.b 4.09
7. Up
+10
Net-Worm.Win32.Mytob.y 3.36
8. Up
+1
Net-Worm.Win32.Mytob.t 3.31
9. Down
-4
Net-Worm.Win32.Mytob.u 3.25
10. Down
-2
Net-Worm.Win32.Mytob.q 2.48
11. Up
+4
Net-Worm.Win32.Mytob.w 2.29
12. Up
+8
Net-Worm.Win32.Mytob.a 2.26
13. Down
-3
Email-Worm.Win32.LovGate.ae 1.75
14. New!
New!
Email-Worm.Win32.Scano.e 1.45
15. Return
Return
Email-Worm.Win32.NetSky.aa 1.32
16. New!
New!
Net-Worm.Win32.Mytob.v 1.09
17. Down
-3
Email-Worm.Win32.NetSky.y 1.05
18. Return
Return
Email-Worm.Win32.Mydoom.l 1.04
19. New!
New!
Email-Worm.Win32.NetSky.af 0.89
20. New!
New!
Net-Worm.Win32.Mytob.cg 0.89
Other malicious programs 15.73

At first glance it may seem that the April Top Twenty is identical to Top Twenties from the past six months or so. Computer virology seems to have frozen in time: the same worms have been in the ratings for a long time already. However, this is only at first glance. Mytob.c, the leader of recent ratings, has a long way to go to achieve the numerical heights achieved by its infamous predecessors, such as Mydoom or Sobig or Klez. Between them, these worms managed to terrorize users for several years running.

Despite the fact the Mytob versions dominate the ratings this month, other well known worms are not giving up the battle for control of our computers.

April 2006 is notable for the fact that we finally see Zafi versions disappear completely. We have been expecting this for several months now: Zafi versions led the ratings at one point and then started moving up and down, occasionally climbing almost back to the top. The long life of this worm, which turned 2 this month, is due to its very interesting replication methods. This worm is a true polyglot. It sends out infected emails in over 15 European languages. Zafi picks the languages using the recipient domain as a guide.

Zafi has Hungarian roots, while Lovgate comes from Asia, possibly South Korea. This old timer appeared at the same time as Mydoom, Bagle, Netsky and Zafi. Unlike Netsky, which is slowly yielding to Mytob, new versions of Lovgate continue to appear in the ratings: in April we see two versions in the top 5. The authors of Lovgate stubbornly continue to churn out new versions, creating more and more classical email worms. In the meantime, the author of NetSky has been arrested and tried, the Bagle authors focus on launching localized outbreaks of Trojans and Mydoom has simply mutated into Mytob. Mytob has visibly gained altitude this month with a total of nine places including number one.

Last, but not least, we have a newcomer this month – Scano.e. The Scano family attracted attention both from both users and virus analysts. We were interested in the replication method: Scano spreads as a JavaScript file and includes rather complicated polymorphic code, which complicates detection. Scano is very similar to Feebs as far as polymorphic scripting is concerned. Feebs does not appear in the ratings, but it has generated regular questions from users. It seems as if polymorphic worms might well become a hot topic in the months to come.

As for the rest of the email ratings, the only other point of interest is that Mytob.y has jumped up 10 places and Mydoom.l has returned. The portion of other malicious code in email traffic has risen slightly from 13.33% to 15.73.

Summary:

New Scano.e, NetSky.af, Mytob.cg
Moved up NetSky NetSky.q, LovGate.ad, Mytob.y, Mytob.t, Mytob.w, Mytob.a
Moved down NetSky.b, Mytob.u, Mytob.q, LovGate.ae, NetSky.y
No change Mytob.c, NetSky.t, LovGate.w
Re-entry Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Mydoom.l

Virus Top Twenty for April 2006

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox