Malware reports

Virus Top Twenty for January 2007

Position Change in position Name Proactive
Detection Flag*
Percentage
1. Up
+5
Email-Worm.Win32.Bagle.gt Trojan.generic 28,05
2. Up
+3
Email-Worm.Win32.NetSky.q Trojan.generic 24,01
3. Up
+5
Email-Worm.Win32.NetSky.aa Trojan.generic 14,63
4. No Change Email-Worm.Win32.NetSky.t Trojan.generic 4,75
5. Return
Return
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
4,30
6. New!
New!
Trojan-Downloader.Win32.Small.dam Trojan.generic +
Invader
3,07
7. Up
+5
Email-Worm.Win32.NetSky.b Trojan.generic 2,56
8. New!
New!
Trojan-Downloader.Win32.Small.ciw Trojan.generic +
Invader
2,23
9. Down
-2
Net-Worm.Win32.Mytob.c Trojan.generic 1,99
10. Return
Return
Email-Worm.Win32.Mydoom.l Trojan.generic +
Hidden Install
1,99
11. Down
-1
Email-Worm.Win32.Scano.gen Trojan.generic 1,44
12. Return
Return
Email-Worm.Win32.NetSky.d Trojan.generic 1,43
13. New!
New!
Net-Worm.Win32.Mytob.bt Trojan.generic 1,24
14. Return
Return
Worm.Win32.Feebs.gen Hidden Data Sending 1,12
15. New!
New!
Trojan-Proxy.Win32.Lager.dp Trojan.generic +
Invader
0,74
16. Return
Return
Email-Worm.Win32.Mydoom.m Trojan.generic 0,69
17. Down
-2
Email-Worm.Win32.Warezov.do Trojan.generic +
Registry access
0,68
18. Return
Return
Email-Worm.Win32.NetSky.y Trojan.generic 0,46
19. Up
+1
Email-Worm.Win32.NetSky.x Trojan.generic 0,46
20. Down
-3
Exploit.Win32.IMG-WMF.y Data Execution +
Registry access
0,37
Other malicious programs 3,99
* — Starting from this year, our Top 20 charts include information on alerts displayed by the proactive defense technology. A proactive defense module is currently implemented in Kaspersky Anti-Virus 6.0 and Kaspersky Internet Security 6.0. The module proactively detects unknown IT threats based on their behavior rather than signatures and alerts the user of any potential danger.

When Bagle.gt appeared in our Top Twenty for December 2006, we believed that this might indicate an intensification of the struggle between virus writers to gain control of users’ computers. Why? The end of 2006 was notable for the steady evolution of Warezov, another worm, which so far has more than 300 variants. Warezov and Bagle are in direct competition with each other: they both harvest databases containing email addresses, and make it possible to send spam via the infected machines. This type of business is extremely profitable, so the authors of Bagle could not fail to react to the appearance of a competitor. In December Bagle.gt took fifth place, and has since risen to first place. It currently makes up nearly 30% of mail traffic, showing that it will probably continue to cause problems for Internet users for some time to come.

For the moment at least, all Warezov variants are being beaten back by Bagle and other malicious programs. This is supported by the fact that only Warezov.do has remained in the ratings, and in seventeenth place at that. February will show whether or not Warezov has been dealt a mortal blow; it is, of course, possible, that we have not heard the last of this worm.

Usually when the viruses at the top of the ratings change places, the rest of the Top Twenty also undergoes a reshuffle in terms of new malicious programs and returnees. The newcomers in January were very interesting.

Most significant are the programs occupying sixth and eighth place in the rankings: Trojan-Downloader.Win32.Small.dam and .ciw. In spite of the fact that they have different variant names, these are effectively one and the same Trojan – the ‘storm worm’ which was widely written about by the media in January. This worm spreads via the Internet as an attachment to messages, allegedly bringing news of the terrible hurricane in Western Europe, the death of President Putin, and the resurrection of Saddam Hussein. This piece of malware was initially thought to be a new variant of Warezov. However, detailed analysis showed that the program was a totally new family which appeared to be of Asian origin. It may be that there will now be a third player joining the Bagle-Warezov contest. Incidentally, from February onwards we will categorize programs from this family as Email-Worm.Win32.Zhelatin, and we will be tracking its activity.

One of the numerous Mytob variants, Mytob.bt, comes in at thirteenth place. It has been circulating on the Internet for a while now, but has only just managed to make it into our rankings. Somewhat more interesting is fifteenth place, occupied by a Trojan program: Trojan-Proxy.Win32.Lager.dp. As this program is not a worm, and therefore unable to propagate on its own, the fact that it has managed to reach fifteenth place shows that it was spammed on a wide scale. And once again, Lager.dp confirms that virus writers want to use victim machines as spamming platforms – the Trojan functions as an email proxy server.

Given all the evidence above we can say for certain that spam will be on the increase in February 2007.

Other malicious programs made up a small – 3.99% – percentage of all malicious programs intercepted in mail traffic.

Summary:

  • New: Trojan-Downloader.Win32.Small.dam, Trojan-Downloader.Win32.Small.ciw, Net-Worm.Win32.Mytob.bt, Trojan-Proxy.Win32.Lager.dt
  • Moved up: Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.NetSky.b, Email-Worm.Win32.NetSky.x
  • Moved down: Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.Warezov.do, Exploit.Win32.IMG-WMF.y
  • Re-entry: Email-Worm.Win32.Bagle.gen, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.NetSky.d, Worm.Win32.Feebs.gen, Email-Worm.Win32.Mydoom.m, Email-Worm.Win32.NetSky.y

Virus Top Twenty for January 2007

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox