Malware reports

Virus Top Twenty for February 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
+3
Email-Worm.Win32.NetSky.t Trojan.generic 15.82
2. Down
-1
Email-Worm.Win32.Bagle.gt Trojan.generic 11.85
3. New!
New
Email-Worm.Win32.Zhelatin.dam Damaged* 8.19
4. Down
-2
Email-Worm.Win32.NetSky.q Trojan.generic 7.92
5. New!
New
Email-Worm.Win32.Zhelatin.o Hidden Install +
Registry access
6.83
6. New!
New
Email-Worm.Win32.Warezov.ls Hidden Install (x2) 5.03
7. Up
+2
Net-Worm.Win32.Mytob.c Trojan.generic 3.72
8. New!
New
Email-Worm.Win32.Zhelatin.u Trojan.generic +
Invader(x10)
3.58
9. New!
New
Email-Worm.Win32.Zhelatin.m Hidden Install +
Registry access
3.30
10. Down
-7
Email-Worm.Win32.NetSky.aa Trojan.generic 3.27
11. New!
New
Email-Worm.Win32.Zhelatin.r Trojan.generic 2.87
12. New!
New
Trojan-Downloader.Win32.Tibs.jr Trojan.generic 2.43
13. New!
New
Email-Worm.Win32.Zhelatin.t Hidden Install +
Registry access
1.94
14. Return
Return
Email-Worm.Win32.Scano.gen Trojan.generic 1.83
15. Return
Return
Email-Worm.Win32.Nyxem.e Trojan.generic 1.66
16. Return
Return
Email-Worm.Win32.NetSky.b Trojan.generic 1.59
17. New!
New
Packed.Win32.PePatch.gr Damaged 1.52
18. Return
Return
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.39
19. Down
-14
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
1.26
20. No Change Exploit.Win32.IMG-WMF.y Data Execution +
Registry access
1.14
Other malicious programs 12.86
* — Non functional sample

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and Bagle.gt led the rankings. However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void. This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.

Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants. The struggle between Zhelatin and Bagle.gt resulted in a veteran worm, Netsky.t, taking first place, while Bagle.gt dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Summary:

  • New: Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.Zhelatin.o, Email-Worm.Win32.Warezov.ls, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.m, Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Tibs.jr, Email-Worm.Win32.Zhelatin.t, Packed.Win32.PePatch.gr
  • Moved up: Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.c
  • Moved down: Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gen
  • Re-entry: Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.t

Virus Top Twenty for February 2007

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox