Malware reports

Virus Top Twenty for February 2004

Kaspersky Labs presents the Virus Top Twenty for February 2004
Change Name Percentage by occurence
1 0 I-Worm.Mydoom.a 69,21%
2 New I-Worm.Moodown.b 18,68%
3 -1 I-Worm.Swen 3,20%
4 New I-Worm.Mydoom.e 2,15%
5 -1 I-Worm.Sober.c 1,92%
6 +3 I-Worm.Sobig.f 0,82%
7 -2 I-Worm.Mimail.a 0,47%
8 -1 I-Worm.Klez.h 0,44%
9 +11 I-Worm.Mimail.j 0,30%
10 New I-Worm.Mimail.q 0,27%
11 +8 I-Worm.Dumaru.j 0,24%
12 -9 I-Worm.Mimail.c 0,22%
13 +2 I-Worm.Dumaru.a 0,19%
14 -1 I-Worm.Lentin.m 0,17%
15 New I-Worm.Netsky.c 0,11%
16 New I-Worm.Bagle.b 0,10%
17 New I-Worm.Mydoom.b 0,10%
18 Re-entry Win32.FunLove.4070 0,10%
19 -5 Macro.Word97.Swatch.b 0,08%
20 -10 I-Worm.Tanatos.b 0,07%
Other malicious programs, not in the Top Twenty 1,16%

History was made in February 2004, which turned out to be the most active month in computer virology for the past several years. There has never been such a large number of email worms active at the same time.
First we had January’s leader, Mydoom.a which stayed in first place. Even though the worm stopped propagating as of February 12, Mydoom.a retained its leading position due to the huge number of copies mailed before February 12 as well as the large number of infected machines with incorrect dates.
Next we have some new entrants that will undoubtedly play a key role in March. There are six newcomers, which is very unusual, and they belong to four different categories.
The most important newcomer is I-Worm.Moodown.b (NetSky.b) which the creator coded to disinfect machines infected by Mydoom.a, but also to interfere with antivirus programs.
The second significant newcomer is Mydoom.e. Unlike Mydoom.a, this version deletes random MS Office documents. It is highly likely that this version was based on the original Mydoom.
Our old ‘friend’ Mimail is now polymorphic and spreads as a polymorphic dropper. Mimail.q was the first version with this new feature and it immediately climbed to 10th position in the top twenty.
The creator of Moodown (NetSky) seems to have been encouraged by the havoc wreaked by second version; he or she made some minor changes and released a third version. Moodown.c is only 15th in the ratings, but should aggravate users for quite some time to come.
One of January’s leaders, Bagle.a has left the ratings, but we do have Bagle.b to take its place. However, at the very tail end of February we also saw a slew of new Bagles: versions c through f. These versions did not make the top twenty, but we can be sure that they will cause trouble in March.
The last newcomer in the top twenty is yet another version of Mydoom – Mydoom.b. It appeared at the end of January and needed all of February to make its presence felt.
The other stars of the monthly ratings are old friends who move up and down the scale without leaving the top twenty. Swen and Sober.c refuse to yield to newer worms and continue to hold their positions.
Win32.FunLove.4070 has returned to the top twenty. The return of this file virus is easy to explain: it mostly arrives with email worms having infected the carrier files first.

Summary

 

 

Virus Top Twenty for February 2004

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox