Malware reports

Virus Top Twenty for December 2005

Position Change in position Name Percentage
1. Up

2. Down

3. Up

4. Up

5. Up +13
6. Up

7. Down

8. No Change

9. Up

10. Up

11. Down

12. Down

13. New!
14. Return
15. Up

16. Return

17. Return

18. Down

19. Down

20. Return

Other malicious programs 15.07

December 2005 was a month of great activity, in sharp contrast to the stability shown by the leaders of the Virus Top Twenty in November. There were great changes in the top six positions, with yet another set of worms topping the ratings. Against all expectations, the leader was not a worm from the Mytob or Doombot families, but Zafi.d, which has been in circulation for over a year and a half. Zafi.d made up almost 30% of all malicious programs intercepted this month, a very impressive figure.

The leader for the past few months, Mytob.c, dropped into second place, although the number of samples detected remained almost at its previous level. And this is where the situation becomes really interesting.

The Doombot family, which entered the Top Twenty with a bang a couple of months ago, and which has been posing serious competition to Mytob, has unexpectedly disappeared. And it’s not only Doombot.g and .d (which were in 16th and 20th place respectively) which have vanished, but also Doombot.b, which took 2nd place in November. If new malicious programs had appeared in the Top Twenty this month, it would have been these more active programs which squeezed Doombot out of the rankings, an entirely natural process. However, this is not what happened in December.

The further down the table we go, the more interesting it becomes. LovGate.w, a veteran of our virus ratings, reached third place. This Asian worm has displayed such stability and stamina for several years that we are no longer surprised by its appearance in our Top Twenty. We’ve seen new leaders such as Mydoom, Bagle, Sober and NetSky rise and fall, and they are now melting into the shadows, in contrast to LovGate.w, which was and remains among the most widespread worms. In addition to this, another LovGate, version .ae, has returned to the Top Twenty, making it into 14th place.

In November, Sober.y was the malicious program which received the most publicity. Our statistics show that this worm occupied 13th place in November. This was due to the fact that in spite of causing an epidemic, the worm sent itself to email addresses in Western Europe, leaving Russia largely untouched. However, the epidemic was so large that at some stage it was bound to reach Russia, and in December this came to pass. Sober.y rose by 9 places to reach 4th place. Sometime around the middle of December, it stopped sending itself out and retreated into hibernation. However, some data shows that it will come out of hibernation on 5th January, during the night, when it will attempt to download a new version of itself to computers which it had previously infected. All users should be extremely careful and highly suspicious of all messages with attachments, particularly if they appear to originate from a government body such as, for instance, the FBI. The author of Sober may also use the new version of the worm to mass mail millions of emails containing right wing/ nazi propaganda.

Zafi.b has been one of the most widespread email worms of the past two years. It has led our ratings several times, but over the past few months, it has decreased significantly in number. In November this worm was in 18th place, and logically should have dropped out of the Top Twenty this month. However, the surge shown by its relative, Zafi.d, inevitably had an effect on Zafi.b’s figures; the worm rose 13 places, which is one of the most impressive results of 2005, and finished in 5th place.

To sum up, the top five includes 2 worms from the Zafi family, one Mytob, one Sober and one LovGate. Apart from Mytob.c, there’s no sign of Mytob’s previous domination among the leaders. In spite of the fact that 10 Mytob variants remain in the Top Twenty, it seems likely that soon they will be edged out by the new worms which will start to appear in 2006.

13th place in our Top Twenty is highly significant, as it’s occupied not by a worm, not by a virus, but by an email! is one of the many hundreds of phishing emails which were sent to eBay users in December 2005. A figure of 1.36% of all virus traffic is very respectable, and shows that phishing is not going to disappear from the cyber threat horizon, but is continuing to evolve, and will remain a major security problem in 2006.

Other malicious programs made up 15.07% of all those intercepted in mail traffic, indicating that a relatively large number of worms and Trojans from other families are still in circulation.


Moved up Zafi.d, LovGate.w, Sober.y, Zafi.b, NetSky.b, Mytob.u, Mytob.q, NetSky.y
Moved down Mytob.c, NetSky.q, Mytob.bk, Mytob.h, Bagle.dx, Mytob.y
Re-entry, Mytob.w, Mytob.a, Mytob.x
No change Mytob.t

Virus Top Twenty for December 2005

Your email address will not be published. Required fields are marked *



Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox