Malware reports

Virus Top Twenty for December 2006

Position Change in position Name Percentage
1. New!
Email-Worm.Win32.Warezov.fb 19.41
2. Return
Email-Worm.Win32.Warezov.dn 9.88
3. New!
Email-Worm.Win32.Warezov.hb 9.57
4. No Change Email-Worm.Win32.NetSky.t 8.02
5. Up
Email-Worm.Win32.NetSky.q 6.26
6. New!
New 5.70
7. Down
Net-Worm.Win32.Mytob.c 5.50
8. Up
Email-Worm.Win32.NetSky.aa 5.22
9. Down
Email-Worm.Win32.Zafi.b 2.96
10. Down
Email-Worm.Win32.Scano.gen 2.45
11. Up
Email-Worm.Win32.NetSky.b 2.23
12. Down
Net-Worm.Win32.Mytob.t 2.11
13. Down
Email-Worm.Win32.LovGate.w 1.61
14. Return
Net-Worm.Win32.Mytob.dam 1.42
15. Up
+2 1.25
16. Down
Email-Worm.Win32.Nyxem.e 1.04
17. New!
Exploit.Win32.IMG-WMF.y 0.89
18. New!
Email-Worm.Win32.Agent.b 0.86
19. Return
Net-Worm.Win32.Mytob.a 0.84
20. Return
Email-Worm.Win32.NetSky.x 0.82
Other malicious programs 11.96


The last month of 2006 did not bring any substantial changes to the assortment of viruses found in the email traffic. Although analysis of the results for the entire year will be performed later, we can state that the Warezov worm family won a clear-cut victory in the autumn and winter months.

In December Warezov variants took the three top positions in the rankings, while the traditional change of leader turned into a family affair: Warezov.fb replaced Warezov.gj. We had expected and predicted this change: in December the former leader’s ranking declined sharply as it yielded position to its newer brethren.

The greatest surprise of November was the triumphal return of our old acquaintance, Nyxem.e, to the Top Twenty, straight to the third position. In December the worm surprised us again by going 13 positions down at once. Its old rival, Mytob.c, which also made a return to the sixth position in November, lost little ground to newcomers and remained in the 7th position. Nevertheless, it is now quite clear that the future of both worms (Nyxem.E and Mytob.C), which fought bitter battles for the top position during the first 9 months of the year, is rather bleak: in 2007 they will inevitably leave the Top Twenty.

This is also true of Zafi.b. Although this worm is among the top ten malicious programs this month, it has gone through several cycles appearing and disappearing from the top Twenty and may well leave again, never to return.

At the same time, NetSky.q (the October leader) goes up and down in the top part of the rankings and looks set to create problems for email users for a long time to come, despite the fact that (just think of it!) it was created as far back as 2004! Two more historical worms, LovGate.w and Mytob.t, are about equally ancient.

Among the newcomers, it is worth mentioning and Exploit.Win32.IMG-WMF.y. is the first member of its family to become one of the leaders in the virus race in the past several months. This is a very interesting fact: essentially, Bagle and Warezov are direct competitors, which means that we may be witnessing another cyberwar between criminal groups trying to gain access to user computers and data stored on them.
Exploit.Win32.IMG-WMF.y belongs to a rare class of malicious programs: the object sent by email is not an executable file containing a worm but an image that contains an exploit for a WMF file handling vulnerability. When the image is accessed, a Trojan program or worm is installed on the user’s computer. This vulnerability was discovered one year ago, in December 2005. In the first week of its existence, the Internet was flooded with hundreds of Trojans that penetrated to computers using this mechanism. Although a year has passed, cybercriminals still successfully exploit this vulnerability.

Other malicious programs made up 11.96% of all malicious programs intercepted in mail traffic. This confirms that a large number of other worms and Trojans are still actively circulating.


Email-Worm.Win32.Warezov.fb, Email-Worm.Win32.Warezov.hb,, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.Agent.b

Moved up:

Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.NetSky.b,

Moved down:

Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Zafi.b, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.LovGate.w, Email-Worm.Win32.Nyxem.e,


Email-Worm.Win32.Warezov.dn, Net-Worm.Win32.Mytob.dam, Net-Worm.Win32.Mytob.a, Email-Worm.Win32.NetSky.x

Virus Top Twenty for December 2006

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox