4no changeI-Worm.Netsky.q2.94%
Position | Change in position | Name | Percentage by occurrence |
---|---|---|---|
1 | no change | I-Worm.Zafi.b | 57.41% |
2 | no change | I-Worm.Netsky.aa | 11.71% |
3 | no change | I-Worm.Netsky.b | 10.72% |
5 | no change | I-Worm.Bagle.z | 2.34% |
6 | +3 | I-Worm.Netsky.t | 2.08% |
7 | no change | I-Worm.Netsky.y | 1.72% |
8 | -2 | I-Worm.Netsky.d | 1.25% |
9 | -1 | I-Worm.Lovgate.w | 1.18% |
10 | new | I-Worm.Bagle.gen | 0.75% |
11 | +4 | I-Worm.Netsky.o | 0.40% |
12 | new | I-Worm.Bagle.ah | 0.35% |
13 | re-entry | I-Worm.Sobig.f | 0.31% |
14 | new | Backdoor.Rbot.gen | 0.28% |
15 | new | I-Worm.Bagle.ai | 0.27% |
16 | -2 | I-Worm.Mydoom.g | 0.26% |
17 | +3 | I-Worm.Netsky.m | 0.25% |
18 | -7 | I-Worm.Netsky.r | 0.25% |
19 | re-entry | I-Worm.Mydoom.e | 0.24% |
20 | – 8 | I-Worm.Swen | 0.24% |
Other malicious programs (not in the Top 20) | 5.07% |
Antivirus professionals have long known that viruses come in waves; June, July and December are usually down times. Maybe it’s because virus writers are people too – they too take vacations and if they go away, they may even forget to take their computers along.
July 2004 confirms this theory, with very few changes from the June ratings. The top five viruses are identical to the top five in June; only the percentages have changed. Zafi.b is the absolute leader this summer with 57%, this figure making it the second most frequent virus of the year. Only Mydoom.a is ahead of Zafi.b with a recording-breaking almost 80%.
Zafi.b is a paradox – an average worm, with nothing interesting in the code or the social engineering methods used to trick users into opening infected attachments. And yet it has beat many more technologically advanced viruses. Certainly changing the language of the incoming email in accordance with the recipient’s country is a novel idea. However this is Zafi.b’s only interesting feature. Perhaps Zafi’s dominance can be explained by the fact that users have relaxed now that summer is in full swing and are being less cautious about opening attachments.
There are very few new entries to the Top Twenty: Bagle.gen leads the way. Bagle.gen is a catchall for all Bagle variants that propagate as password protected attachments. There are also several new versions of Bagle which were most likely released by copycat coders after Bagle.aa appeared complete with the Bagle source code inside. Bagle.ai and Bagle.ah make a modest first appearance, but we are likely to see more remakes of this particular malicious oldie.
14th place is occupied by Backdoor.Rbot.gen, a catchall for 30 or so similar backdoors. This is worth remarking on as these programs are not the email worms which everyone has become so used to over the past few months. These backdoors use various Windows vulnerabilities to give the sender full control over infected machines. Rbot variants accept commands to send copies of themselves via email, which probably accounts for the appearance of this backdoor in the virus top twenty.
And finally, like the Phoenix rising from the ashes, Sobig.f has not only returned, but even jumped immediately to number 13. This program last made an appearance in the Top Twenty in February this year.
Other malware continued to make up a significant amount of traffic for the third month in a row. In total, over 1000 different viruses were detected in July, over 3 times more than in June.
Summary
New viruses | I-Worm.Bagle.ai, Bagle.ah, Bagle.gen |
Moved up: | Netsky.t, Netsky.o, Netsky.m |
Moved down | Netsky.d, Lovgate.w, Mydoom.g, Netsky.r, Mydoom.e, Swen |
No change | Zafi.b, Netsky.aa, Netsky.b, Netsky.q, Bagle.z, Netsky.y |
Returned | Sobig.f |
Virus Top Twenty for July 2004