Malware reports

Virus Top Twenty for February 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
Email-Worm.Win32.NetSky.t Trojan.generic 15.82
2. Down
-1 Trojan.generic 11.85
3. New!
Email-Worm.Win32.Zhelatin.dam Damaged* 8.19
4. Down
Email-Worm.Win32.NetSky.q Trojan.generic 7.92
5. New!
Email-Worm.Win32.Zhelatin.o Hidden Install +
Registry access
6. New!
New Hidden Install (x2) 5.03
7. Up
Net-Worm.Win32.Mytob.c Trojan.generic 3.72
8. New!
Email-Worm.Win32.Zhelatin.u Trojan.generic +
9. New!
Email-Worm.Win32.Zhelatin.m Hidden Install +
Registry access
10. Down
Email-Worm.Win32.NetSky.aa Trojan.generic 3.27
11. New!
Email-Worm.Win32.Zhelatin.r Trojan.generic 2.87
12. New!
Trojan-Downloader.Win32.Tibs.jr Trojan.generic 2.43
13. New!
Email-Worm.Win32.Zhelatin.t Hidden Install +
Registry access
14. Return
Email-Worm.Win32.Scano.gen Trojan.generic 1.83
15. Return
Email-Worm.Win32.Nyxem.e Trojan.generic 1.66
16. Return
Email-Worm.Win32.NetSky.b Trojan.generic 1.59
17. New!
New Damaged 1.52
18. Return
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.39
19. Down
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
20. No Change Exploit.Win32.IMG-WMF.y Data Execution +
Registry access
Other malicious programs 12.86
* — Non functional sample

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and led the rankings. However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void. This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.

Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants. The struggle between Zhelatin and resulted in a veteran worm, Netsky.t, taking first place, while dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.


  • New: Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.Zhelatin.o,, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.m, Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Tibs.jr, Email-Worm.Win32.Zhelatin.t,
  • Moved up: Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.c
  • Moved down:, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gen
  • Re-entry: Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.t

Virus Top Twenty for February 2007

Your email address will not be published.



The SessionManager IIS backdoor

In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East.

APT ToddyCat

ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’.

WinDealer dealing on the side

We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack.

APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Subscribe to our weekly e-mails

The hottest research right in your inbox