Malware reports

Virus Top Twenty for February 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
Email-Worm.Win32.NetSky.t Trojan.generic 15.82
2. Down
-1 Trojan.generic 11.85
3. New!
Email-Worm.Win32.Zhelatin.dam Damaged* 8.19
4. Down
Email-Worm.Win32.NetSky.q Trojan.generic 7.92
5. New!
Email-Worm.Win32.Zhelatin.o Hidden Install +
Registry access
6. New!
New Hidden Install (x2) 5.03
7. Up
Net-Worm.Win32.Mytob.c Trojan.generic 3.72
8. New!
Email-Worm.Win32.Zhelatin.u Trojan.generic +
9. New!
Email-Worm.Win32.Zhelatin.m Hidden Install +
Registry access
10. Down
Email-Worm.Win32.NetSky.aa Trojan.generic 3.27
11. New!
Email-Worm.Win32.Zhelatin.r Trojan.generic 2.87
12. New!
Trojan-Downloader.Win32.Tibs.jr Trojan.generic 2.43
13. New!
Email-Worm.Win32.Zhelatin.t Hidden Install +
Registry access
14. Return
Email-Worm.Win32.Scano.gen Trojan.generic 1.83
15. Return
Email-Worm.Win32.Nyxem.e Trojan.generic 1.66
16. Return
Email-Worm.Win32.NetSky.b Trojan.generic 1.59
17. New!
New Damaged 1.52
18. Return
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.39
19. Down
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
20. No Change Exploit.Win32.IMG-WMF.y Data Execution +
Registry access
Other malicious programs 12.86
* — Non functional sample

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and led the rankings. However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void. This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.

Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants. The struggle between Zhelatin and resulted in a veteran worm, Netsky.t, taking first place, while dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.


  • New: Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.Zhelatin.o,, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.m, Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Tibs.jr, Email-Worm.Win32.Zhelatin.t,
  • Moved up: Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.c
  • Moved down:, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gen
  • Re-entry: Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.t

Virus Top Twenty for February 2007

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox