Malware reports

Virus Top Twenty for April 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
+4
Email-Worm.Win32.NetSky.t Trojan.generic 14,00
2. New!
New!
Email-Worm.Win32.Warezov.ms Invader 12,35
3. Down
-1
Email-Worm.Win32.NetSky.q Trojan.generic 12,15
4. Down
-1
Email-Worm.Win32.Bagle.gt Trojan.generic 10,02
5. New!
New!
Trojan-Spy.HTML.Bankfraud.ri N/A (HTML)* 7,73
6. Up
+6
Worm.Win32.Feebs.gen Hidden Data Sending 5,38
7. No Change
0
Net-Worm.Win32.Mytob.c Trojan.generic 4,04
8. Down
-2
Email-Worm.Win32.NetSky.aa Trojan.generic 3,55
9. No Change
0
Email-Worm.Win32.NetSky.b Trojan.generic 2,18
10. Down
-2
Email-Worm.Win32.Scano.gen Trojan.generic 1,93
11. Down
-11
Trojan-Spy.HTML.Bankfraud.ra N/A (HTML)* 1,80
12. New!
New!
Email-Worm.Win32.Warezov.nf Invader 1,80
13. Down
-3
Email-Worm.Win32.Mydoom.l Trojan.generic 1,58
14. Down
-1
Email-Worm.Win32.Warezov.do Trojan.generic 1,50
15. No Change
0
Email-Worm.Win32.Mydoom.m Trojan.generic 1,38
16. No Change
0
Email-Worm.Win32.Zhelatin.dam N/A (damaged)** 1,18
17. Return
Return
Email-Worm.Win32.LovGate.w Trojan.generic 1,14
18. New!
New!
Email-Worm.Win32.Zhelatin.cs HiddenInstall 1,09
19. Return
Return
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1,06
20. New!
New!
Email-Worm.Win32.Zhelatin.cq HiddenInstall 0,98
Other malicious programs 13,16
* – this is an HTML page and does not display any behavior
** – non-functional sample

 

It’s getting more and more interesting looking at the statistics on malicious code in mail traffic. Warezov and Zhelatin regularly cause virus outbreaks, hit the headlines, and create a huge amount of work for virus labs around the world, but it’s NetSky.t, an old email worm, which grabbed first place this month. In the three years since NetSky.t appeared, its highest ranking ever was fourth place in February 2006. It subsequently disappeared from the rankings, but returned to lurk close to the top of the table. And this month it has taken first place by storm, pushing aside all the new generation worms.

This was probably the result of a new tactic: virus writers are now spamming multiple variants of their latest creation within a very short space of time. Many of these variants make it to the Top Twenty, but sometimes the sheer number of variants prevents them from gaining a high position: NetSky.t, a single variant which spread extremely widely, is proof of this.

On the other hand, these newcomers aren’t lagging that far behind some of the old, familiar malicious programs. Second place is occupied by Warezov.ms, created by unknown cyber criminals, who we suspect are Chinese. Although this variant didn’t get as much publicity as its younger brother Warezov.nf, our statistics show that it was the .ms variant that dominated in April. However, it’s highly likely that Warezov.ms will practically disappear in May, repeating the pattern shown by other variants. Out of all the Warezov variants that made the rankings last autumn and winter, only Warezov.do could still be found in April’s Top Twenty.

The Zhelatin worm, which is in direct competition with Warezov, also has three variants in the rankings. However, in percentage terms Zhelatin’s results are much less impressive, as it occupies 6th, 18th and 20th place.

Phishing is continuing to evolve at a rate of knots. Last month, Bankfraud.ra, a phishing email, was at the top of the chart. Although this month it has fallen to 11th place, this doesn’t mean that phishing is on the decline: 5th place is taken by a new Bankfraud variant, .ri. This is evidence of the increasingly wide spread nature of phishing attacks, comparable in scale to email worm epidemics.

The return of some real veterans – LovGate.w and Mytob.t – is also interesting. The reappearance of these malicious programs in the Top Twenty was unexpected. However, the number of times these programs have previously figured in the rankings bears witness to their tenacity and the size of epidemics caused by these worms in the past.

Other malicious programs made up a significant percentage (13.16%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Summary

  • New: Email-Worm.Win32.Warezov.ms, Trojan-Spy.HTML.Bankfraud.ri, Email-Worm.Win32.Warezov.nf, Email-Worm.Win32.Zhelatin.cs, Email-Worm.Win32.Zhelatin.cq
  • Moved up: Email-Worm.Win32.NetSky.t, Worm.Win32.Feebs.gen
  • Moved down: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Trojan-Spy.HTML.Bankfraud.ra, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Warezov.do
  • Re-entry: Email-Worm.Win32.LovGate.w, Net-Worm.Win32.Mytob.t.
  • No change: Net-Worm.Win32.Mytob.c, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.Zhelatin.dam

Virus Top Twenty for April 2007

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

Subscribe to our weekly e-mails

The hottest research right in your inbox