Malware reports

Virus Top Twenty for December 2005

Position Change in position Name Percentage
1. Up

2. Down

3. Up

4. Up

5. Up +13
6. Up

7. Down

8. No Change

9. Up

10. Up

11. Down

12. Down

13. New!
14. Return
15. Up

16. Return

17. Return

18. Down

19. Down

20. Return

Other malicious programs 15.07

December 2005 was a month of great activity, in sharp contrast to the stability shown by the leaders of the Virus Top Twenty in November. There were great changes in the top six positions, with yet another set of worms topping the ratings. Against all expectations, the leader was not a worm from the Mytob or Doombot families, but Zafi.d, which has been in circulation for over a year and a half. Zafi.d made up almost 30% of all malicious programs intercepted this month, a very impressive figure.

The leader for the past few months, Mytob.c, dropped into second place, although the number of samples detected remained almost at its previous level. And this is where the situation becomes really interesting.

The Doombot family, which entered the Top Twenty with a bang a couple of months ago, and which has been posing serious competition to Mytob, has unexpectedly disappeared. And it’s not only Doombot.g and .d (which were in 16th and 20th place respectively) which have vanished, but also Doombot.b, which took 2nd place in November. If new malicious programs had appeared in the Top Twenty this month, it would have been these more active programs which squeezed Doombot out of the rankings, an entirely natural process. However, this is not what happened in December.

The further down the table we go, the more interesting it becomes. LovGate.w, a veteran of our virus ratings, reached third place. This Asian worm has displayed such stability and stamina for several years that we are no longer surprised by its appearance in our Top Twenty. We’ve seen new leaders such as Mydoom, Bagle, Sober and NetSky rise and fall, and they are now melting into the shadows, in contrast to LovGate.w, which was and remains among the most widespread worms. In addition to this, another LovGate, version .ae, has returned to the Top Twenty, making it into 14th place.

In November, Sober.y was the malicious program which received the most publicity. Our statistics show that this worm occupied 13th place in November. This was due to the fact that in spite of causing an epidemic, the worm sent itself to email addresses in Western Europe, leaving Russia largely untouched. However, the epidemic was so large that at some stage it was bound to reach Russia, and in December this came to pass. Sober.y rose by 9 places to reach 4th place. Sometime around the middle of December, it stopped sending itself out and retreated into hibernation. However, some data shows that it will come out of hibernation on 5th January, during the night, when it will attempt to download a new version of itself to computers which it had previously infected. All users should be extremely careful and highly suspicious of all messages with attachments, particularly if they appear to originate from a government body such as, for instance, the FBI. The author of Sober may also use the new version of the worm to mass mail millions of emails containing right wing/ nazi propaganda.

Zafi.b has been one of the most widespread email worms of the past two years. It has led our ratings several times, but over the past few months, it has decreased significantly in number. In November this worm was in 18th place, and logically should have dropped out of the Top Twenty this month. However, the surge shown by its relative, Zafi.d, inevitably had an effect on Zafi.b’s figures; the worm rose 13 places, which is one of the most impressive results of 2005, and finished in 5th place.

To sum up, the top five includes 2 worms from the Zafi family, one Mytob, one Sober and one LovGate. Apart from Mytob.c, there’s no sign of Mytob’s previous domination among the leaders. In spite of the fact that 10 Mytob variants remain in the Top Twenty, it seems likely that soon they will be edged out by the new worms which will start to appear in 2006.

13th place in our Top Twenty is highly significant, as it’s occupied not by a worm, not by a virus, but by an email! is one of the many hundreds of phishing emails which were sent to eBay users in December 2005. A figure of 1.36% of all virus traffic is very respectable, and shows that phishing is not going to disappear from the cyber threat horizon, but is continuing to evolve, and will remain a major security problem in 2006.

Other malicious programs made up 15.07% of all those intercepted in mail traffic, indicating that a relatively large number of worms and Trojans from other families are still in circulation.


Moved up Zafi.d, LovGate.w, Sober.y, Zafi.b, NetSky.b, Mytob.u, Mytob.q, NetSky.y
Moved down Mytob.c, NetSky.q, Mytob.bk, Mytob.h, Bagle.dx, Mytob.y
Re-entry, Mytob.w, Mytob.a, Mytob.x
No change Mytob.t

Virus Top Twenty for December 2005

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox