Malware reports

Virus Top Twenty for December 2006

Position Change in position Name Percentage
1. New!
Email-Worm.Win32.Warezov.fb 19.41
2. Return
Email-Worm.Win32.Warezov.dn 9.88
3. New!
Email-Worm.Win32.Warezov.hb 9.57
4. No Change Email-Worm.Win32.NetSky.t 8.02
5. Up
Email-Worm.Win32.NetSky.q 6.26
6. New!
New 5.70
7. Down
Net-Worm.Win32.Mytob.c 5.50
8. Up
Email-Worm.Win32.NetSky.aa 5.22
9. Down
Email-Worm.Win32.Zafi.b 2.96
10. Down
Email-Worm.Win32.Scano.gen 2.45
11. Up
Email-Worm.Win32.NetSky.b 2.23
12. Down
Net-Worm.Win32.Mytob.t 2.11
13. Down
Email-Worm.Win32.LovGate.w 1.61
14. Return
Net-Worm.Win32.Mytob.dam 1.42
15. Up
+2 1.25
16. Down
Email-Worm.Win32.Nyxem.e 1.04
17. New!
Exploit.Win32.IMG-WMF.y 0.89
18. New!
Email-Worm.Win32.Agent.b 0.86
19. Return
Net-Worm.Win32.Mytob.a 0.84
20. Return
Email-Worm.Win32.NetSky.x 0.82
Other malicious programs 11.96


The last month of 2006 did not bring any substantial changes to the assortment of viruses found in the email traffic. Although analysis of the results for the entire year will be performed later, we can state that the Warezov worm family won a clear-cut victory in the autumn and winter months.

In December Warezov variants took the three top positions in the rankings, while the traditional change of leader turned into a family affair: Warezov.fb replaced Warezov.gj. We had expected and predicted this change: in December the former leader’s ranking declined sharply as it yielded position to its newer brethren.

The greatest surprise of November was the triumphal return of our old acquaintance, Nyxem.e, to the Top Twenty, straight to the third position. In December the worm surprised us again by going 13 positions down at once. Its old rival, Mytob.c, which also made a return to the sixth position in November, lost little ground to newcomers and remained in the 7th position. Nevertheless, it is now quite clear that the future of both worms (Nyxem.E and Mytob.C), which fought bitter battles for the top position during the first 9 months of the year, is rather bleak: in 2007 they will inevitably leave the Top Twenty.

This is also true of Zafi.b. Although this worm is among the top ten malicious programs this month, it has gone through several cycles appearing and disappearing from the top Twenty and may well leave again, never to return.

At the same time, NetSky.q (the October leader) goes up and down in the top part of the rankings and looks set to create problems for email users for a long time to come, despite the fact that (just think of it!) it was created as far back as 2004! Two more historical worms, LovGate.w and Mytob.t, are about equally ancient.

Among the newcomers, it is worth mentioning and Exploit.Win32.IMG-WMF.y. is the first member of its family to become one of the leaders in the virus race in the past several months. This is a very interesting fact: essentially, Bagle and Warezov are direct competitors, which means that we may be witnessing another cyberwar between criminal groups trying to gain access to user computers and data stored on them.
Exploit.Win32.IMG-WMF.y belongs to a rare class of malicious programs: the object sent by email is not an executable file containing a worm but an image that contains an exploit for a WMF file handling vulnerability. When the image is accessed, a Trojan program or worm is installed on the user’s computer. This vulnerability was discovered one year ago, in December 2005. In the first week of its existence, the Internet was flooded with hundreds of Trojans that penetrated to computers using this mechanism. Although a year has passed, cybercriminals still successfully exploit this vulnerability.

Other malicious programs made up 11.96% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.


Email-Worm.Win32.Warezov.fb, Email-Worm.Win32.Warezov.hb,, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.Agent.b

Moved up:

Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.NetSky.b,

Moved down:

Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Zafi.b, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.LovGate.w, Email-Worm.Win32.Nyxem.e,


Email-Worm.Win32.Warezov.dn, Net-Worm.Win32.Mytob.dam, Net-Worm.Win32.Mytob.a, Email-Worm.Win32.NetSky.x

Virus Top Twenty for December 2006

Your email address will not be published.



Andariel deploys DTrack and Maui ransomware

Earlier, the CISA published an alert related to a Stairwell report, “Maui Ransomware.” Our data should openly help solidify the attribution of the Maui ransomware incident to the Korean-speaking APT Andariel, also known as Silent Chollima and Stonefly.

APT trends report Q2 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q2 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox