Malware reports

Virus Top Twenty for August 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
Email-Worm.Win32.NetSky.q Trojan.generic 21.28
2. Up
+1 Trojan.generic 12.96
3. Up
Email-Worm.Win32.NetSky.aa Trojan.generic 9.26
4. Up
Net-Worm.Win32.Mytob.c Trojan.generic 8.97
5. No Change
Worm.Win32.Feebs.gen Hidden Data Sending 6.03
6. Up
Email-Worm.Win32.Mydoom.l Trojan.generic 4.93
7. Down
Email-Worm.Win32.NetSky.t Trojan.generic 4.81
8. Up+2 Exploit.Win32.IMG-WMF.y WMF* 3.52
9. Up+4 Net-Worm.Win32.Mytob.t Worm.P2P.generic 3.22
10. Up
Email-Worm.Win32.NetSky.b Trojan.generic 2.65
11. Up+1 Email-Worm.Win32.NetSky.x Trojan.generic 2.43
12. Up+5 Email-Worm.Win32.Scano.gen Trojan.generic 2.12
13. Up+1 Net-Worm.Win32.Mytob.u Worm.P2P.generic 1.59
14. New!
Trojan-Downloader.Win32.Agent.brk Hidden object 1.58
15. No Change
Email-Worm.Win32.Mydoom.m Trojan.generic 1.49
16. New!
Email-Worm.Win32.Womble.a Trojan.generic 1.38
17. Down
Email-Worm.Win32.Womble.d Trojan.generic 1.27
18. Return
Net-Worm.Win32.Mytob.dam [Damaged] 0.94
19. Return
Return Trojan.generic 0.91
20. Down
Virus.Win32.Grum.a Virus** 0.90
Other malicious programs 7.76

* — a file in the WMF graphics format.

** — The PDM module is not intended for combating classic computer viruses


August once again turned out to be “dead season” for virus epidemics in 2007. Since August 2003, when the Lovesan worm caused the biggest epidemic in history, the final month of summer has typically been the quietest and most uneventful, as it is a period when both virus writers and antivirus professionals often go on holiday.

Even the waves of mass-mailings sent out by the Warezov and Zhelatin worms were missing in action in August., the leader in July, disappeared suddenly from our virus radar screens. However, it’s worth remembering that the launching pad for was created back in May by Trojan-Downloader.Win32.Agent.bcs. August’s Top Twenty features a new program used to create botnets and the conditions for new epidemics: Trojan-Downloader.Win32.Agent.brk. It looks as though a significant new outbreak of email threats will be strike in September.

As usual, as new malicious programs that previously took the lead begin to fade or even disappear, the top positions in our rankings are once again taken by old malware. In August, NetSky.q took first place yet again. A three-and-a-half year lifespan has not had any apparent effect on the widespread impact of this worm, and antivirus companies are left wondering just what else they have to do to exterminate this Internet pest.

Meanwhile, the Womble family of worms continues its unusual increase in mail traffic. In July, Exploit.Win32.IMG-WMF.y climbed seven positions, and inched up another two places in August, finally making it into the Top Ten (in eighth place). IMG-WMF.y is a component used in all Womble worms and it brought Womble.d up the ratings in July, with Womble.a joining these two programs in August. All these worms were detected a year ago in August 2006, but they have only just recently managed to make waves in mail traffic.

Last month Scano.gen made a Top 20 comeback, and made the most gains of all malicious programs in August, rising a full five positions to twelfth place. Scano.gen may end up following in the footsteps of another very similar worm, Feebs.gen, which rose to the top in the very same way and has been holding strong in fifth place for two months now.

Other malicious programs made up 7.76% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

  • New: Email-Worm.Win32.Womble.a, Trojan-Downloader.Win32.Agent.brk
  • Moved up: Email-Worm.Win32.NetSky.q,, Email-Worm.Win32.NetSky.aa, Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Mydoom.l, Exploit.Win32.IMG-WMF.y, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.NetSky.x, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.u
  • Moved down: Email-Worm.Win32.NetSky.t, Email-Worm.Win32.Womble.d, Virus.Win32.Grum.a
  • Re-entry: Net-Worm.Win32.Mytob.dam,

Virus Top Twenty for August 2007

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox