Malware reports

Virus Top Twenty for February 2007

Position Change in position Name Proactive Detection Flag Percentage
1. Up
+3
Email-Worm.Win32.NetSky.t Trojan.generic 15.82
2. Down
-1
Email-Worm.Win32.Bagle.gt Trojan.generic 11.85
3. New!
New
Email-Worm.Win32.Zhelatin.dam Damaged* 8.19
4. Down
-2
Email-Worm.Win32.NetSky.q Trojan.generic 7.92
5. New!
New
Email-Worm.Win32.Zhelatin.o Hidden Install +
Registry access
6.83
6. New!
New
Email-Worm.Win32.Warezov.ls Hidden Install (x2) 5.03
7. Up
+2
Net-Worm.Win32.Mytob.c Trojan.generic 3.72
8. New!
New
Email-Worm.Win32.Zhelatin.u Trojan.generic +
Invader(x10)
3.58
9. New!
New
Email-Worm.Win32.Zhelatin.m Hidden Install +
Registry access
3.30
10. Down
-7
Email-Worm.Win32.NetSky.aa Trojan.generic 3.27
11. New!
New
Email-Worm.Win32.Zhelatin.r Trojan.generic 2.87
12. New!
New
Trojan-Downloader.Win32.Tibs.jr Trojan.generic 2.43
13. New!
New
Email-Worm.Win32.Zhelatin.t Hidden Install +
Registry access
1.94
14. Return
Return
Email-Worm.Win32.Scano.gen Trojan.generic 1.83
15. Return
Return
Email-Worm.Win32.Nyxem.e Trojan.generic 1.66
16. Return
Return
Email-Worm.Win32.NetSky.b Trojan.generic 1.59
17. New!
New
Packed.Win32.PePatch.gr Damaged 1.52
18. Return
Return
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.39
19. Down
-14
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
1.26
20. No Change Exploit.Win32.IMG-WMF.y Data Execution +
Registry access
1.14
Other malicious programs 12.86
* — Non functional sample

In last month’s Top Twenty, we noted that Warezov worms had been almost totally beaten back by Bagle. Only a single Warezov variant remained in January’s Top Twenty, and Bagle.gt led the rankings. However, the world of computer viruses takes after nature, in that it abhors a vacuum, and as usually, new and more dangerous malicious programs have come to fill the void. This was the case in February, when we witnessed several epidemics caused by a new family of worms: Zhelatin.

Zhelatin is the ‘storm worm’ that got such wide coverage in the mass media at the beginning of the year. The worm spreads as emails with a range of topics designed to pique the recipient’s curiosity – the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. Although Zhelatin was initially thought to be a new Warezov variant, closer analysis revealed a new family of malicious programs which probably originated in Asia.

During February we issued three virus alerts with a ‘medium’ threat rating. All these alerts were due to the rapid spread of new Zhelatin variants in mail traffic. Naturally, these outbreaks have had an effect on the February Top Twenty: out of the nine new malicious programs, six of them are Zhelatin variants. The struggle between Zhelatin and Bagle.gt resulted in a veteran worm, Netsky.t, taking first place, while Bagle.gt dropped back to second position. Zhelatin, meanwhile, managed by weight of numbers to occupy four of the top ten places.

When a new leader heads the rankings, there’s usually a general shake-up, with new programs making their first appearance, and old viruses making a comeback. As noted above, there are nine new malicious programs in the February Top Twenty, and four re-entries, including some old friends such as Nyxem.e, Scano.gen and Netsky.b. This demonstrates once again that today’s email worms have a long lifespan, and may be found in traffic years after their first appearance.

Other malicious programs made up a significant percentage (12.86%) of all malicious code found in mail traffic, indicating that a considerable number of other worms and Trojans are currently actively circulating.

Summary:

  • New: Email-Worm.Win32.Zhelatin.dam, Email-Worm.Win32.Zhelatin.o, Email-Worm.Win32.Warezov.ls, Email-Worm.Win32.Zhelatin.u, Email-Worm.Win32.Zhelatin.m, Email-Worm.Win32.Zhelatin.r, Trojan-Downloader.Win32.Tibs.jr, Email-Worm.Win32.Zhelatin.t, Packed.Win32.PePatch.gr
  • Moved up: Email-Worm.Win32.NetSky.t, Net-Worm.Win32.Mytob.c
  • Moved down: Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Bagle.gen
  • Re-entry: Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Nyxem.e, Email-Worm.Win32.NetSky.b, Net-Worm.Win32.Mytob.t

Virus Top Twenty for February 2007

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox