Malware reports

Virus Top Twenty for February 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
+3
Email-Worm.Win32.NetSky.t Trojan.generic 15.82
2. Down
-1
Email-Worm.Win32.Bagle.gt Trojan.generic 11.85
3. New!
New
Email-Worm.Win32.Zhelatin.dam Damaged* 8.19
4. Down
-2
Email-Worm.Win32.NetSky.q Trojan.generic 7.92
5. New!
New
Email-Worm.Win32.Zhelatin.o Hidden Install +
Registry access
6.83
6. New!
New
Email-Worm.Win32.Warezov.ls Hidden Install (x2) 5.03
7. Up
+2
Net-Worm.Win32.Mytob.c Trojan.generic 3.72
8. New!
New
Email-Worm.Win32.Zhelatin.u Trojan.generic +
Invader(x10)
3.58
9. New!
New
Email-Worm.Win32.Zhelatin.m Hidden Install +
Registry access
3.30
10. Down
-7
Email-Worm.Win32.NetSky.aa Trojan.generic 3.27
11. New!
New
Email-Worm.Win32.Zhelatin.r Trojan.generic 2.87
12. New!
New
Trojan-Downloader.Win32.Tibs.jr Trojan.generic 2.43
13. New!
New
Email-Worm.Win32.Zhelatin.t Hidden Install +
Registry access
1.94
14. Return
Return
Email-Worm.Win32.Scano.gen Trojan.generic 1.83
15. Return
Return
Email-Worm.Win32.Nyxem.e Trojan.generic 1.66
16. Return
Return
Email-Worm.Win32.NetSky.b Trojan.generic 1.59
17. New!
New
Packed.Win32.PePatch.gr Damaged 1.52
18. Return
Return
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.39
19. Down
-14
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
1.26
20. No Change Exploit.Win32.IMG-WMF.y Data Execution +
Registry access
1.14
Other malicious programs 12.86
* — Non functional sample

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and Bagle.gt led the rankings. However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void. This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.

Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants. The struggle between Zhelatin and Bagle.gt resulted in a veteran worm, Netsky.t, taking first place, while Bagle.gt dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Summary:

  • New: Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.Zhelatin.o, Email-Worm.Win32.Warezov.ls, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.m, Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Tibs.jr, Email-Worm.Win32.Zhelatin.t, Packed.Win32.PePatch.gr
  • Moved up: Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.c
  • Moved down: Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gen
  • Re-entry: Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.t

Virus Top Twenty for February 2007

Your email address will not be published. Required fields are marked *

 

Reports

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox