Virus Top Twenty for February 2007

Position	Change in position	Name	Proactive Detection Flag	Percentage
1.	+3	Email-Worm.Win32.NetSky.t	Trojan.generic	15.82
2.	-1	Email-Worm.Win32.Bagle.gt	Trojan.generic	11.85
3.	New	Email-Worm.Win32.Zhelatin.dam	Damaged*	8.19
4.	-2	Email-Worm.Win32.NetSky.q	Trojan.generic	7.92
5.	New	Email-Worm.Win32.Zhelatin.o	Hidden Install + Registry access	6.83
6.	New	Email-Worm.Win32.Warezov.ls	Hidden Install (x2)	5.03
7.	+2	Net-Worm.Win32.Mytob.c	Trojan.generic	3.72
8.	New	Email-Worm.Win32.Zhelatin.u	Trojan.generic + Invader(x10)	3.58
9.	New	Email-Worm.Win32.Zhelatin.m	Hidden Install + Registry access	3.30
10.	-7	Email-Worm.Win32.NetSky.aa	Trojan.generic	3.27
11.	New	Email-Worm.Win32.Zhelatin.r	Trojan.generic	2.87
12.	New	Trojan-Downloader.Win32.Tibs.jr	Trojan.generic	2.43
13.	New	Email-Worm.Win32.Zhelatin.t	Hidden Install + Registry access	1.94
14.	Return	Email-Worm.Win32.Scano.gen	Trojan.generic	1.83
15.	Return	Email-Worm.Win32.Nyxem.e	Trojan.generic	1.66
16.	Return	Email-Worm.Win32.NetSky.b	Trojan.generic	1.59
17.	New	Packed.Win32.PePatch.gr	Damaged	1.52
18.	Return	Net-Worm.Win32.Mytob.t	Worm.P2P.generic	1.39
19.	-14	Email-Worm.Win32.Bagle.gen	Trojan.generic + Registry access	1.26
20.		Exploit.Win32.IMG-WMF.y	Data Execution + Registry access	1.14
Other malicious programs				12.86
* — Non functional sample

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and Bagle.gt led the rankings. However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void. This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.

Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants. The struggle between Zhelatin and Bagle.gt resulted in a veteran worm, Netsky.t, taking first place, while Bagle.gt dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Summary:

• New: Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.Zhelatin.o, Email-Worm.Win32.Warezov.ls, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.m, Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Tibs.jr, Email-Worm.Win32.Zhelatin.t, Packed.Win32.PePatch.gr
• Moved up: Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.c
• Moved down: Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gen
• Re-entry: Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.t