Malware reports

Virus Top Twenty for July 2004

4no changeI-Worm.Netsky.q2.94%

Position Change in position Name Percentage by occurrence
1 no change I-Worm.Zafi.b 57.41%
2 no change I-Worm.Netsky.aa 11.71%
3 no change I-Worm.Netsky.b 10.72%
5 no change I-Worm.Bagle.z 2.34%
6 +3 I-Worm.Netsky.t 2.08%
7 no change I-Worm.Netsky.y 1.72%
8 -2 I-Worm.Netsky.d 1.25%
9 -1 I-Worm.Lovgate.w 1.18%
10 new I-Worm.Bagle.gen 0.75%
11 +4 I-Worm.Netsky.o 0.40%
12 new I-Worm.Bagle.ah 0.35%
13 re-entry I-Worm.Sobig.f 0.31%
14 new Backdoor.Rbot.gen 0.28%
15 new I-Worm.Bagle.ai 0.27%
16 -2 I-Worm.Mydoom.g 0.26%
17 +3 I-Worm.Netsky.m 0.25%
18 -7 I-Worm.Netsky.r 0.25%
19 re-entry I-Worm.Mydoom.e 0.24%
20 – 8 I-Worm.Swen 0.24%
Other malicious programs (not in the Top 20) 5.07%

Antivirus professionals have long known that viruses come in waves; June, July and December are usually down times. Maybe it’s because virus writers are people too – they too take vacations and if they go away, they may even forget to take their computers along.

July 2004 confirms this theory, with very few changes from the June ratings. The top five viruses are identical to the top five in June; only the percentages have changed. Zafi.b is the absolute leader this summer with 57%, this figure making it the second most frequent virus of the year. Only Mydoom.a is ahead of Zafi.b with a recording-breaking almost 80%.

Zafi.b is a paradox – an average worm, with nothing interesting in the code or the social engineering methods used to trick users into opening infected attachments. And yet it has beat many more technologically advanced viruses. Certainly changing the language of the incoming email in accordance with the recipient’s country is a novel idea. However this is Zafi.b’s only interesting feature. Perhaps Zafi’s dominance can be explained by the fact that users have relaxed now that summer is in full swing and are being less cautious about opening attachments.

There are very few new entries to the Top Twenty: Bagle.gen leads the way. Bagle.gen is a catchall for all Bagle variants that propagate as password protected attachments. There are also several new versions of Bagle which were most likely released by copycat coders after Bagle.aa appeared complete with the Bagle source code inside. Bagle.ai and Bagle.ah make a modest first appearance, but we are likely to see more remakes of this particular malicious oldie.

14th place is occupied by Backdoor.Rbot.gen, a catchall for 30 or so similar backdoors. This is worth remarking on as these programs are not the email worms which everyone has become so used to over the past few months. These backdoors use various Windows vulnerabilities to give the sender full control over infected machines. Rbot variants accept commands to send copies of themselves via email, which probably accounts for the appearance of this backdoor in the virus top twenty.

And finally, like the Phoenix rising from the ashes, Sobig.f has not only returned, but even jumped immediately to number 13. This program last made an appearance in the Top Twenty in February this year.

Other malware continued to make up a significant amount of traffic for the third month in a row. In total, over 1000 different viruses were detected in July, over 3 times more than in June.

Summary

New viruses I-Worm.Bagle.ai, Bagle.ah, Bagle.gen
Moved up: Netsky.t, Netsky.o, Netsky.m
Moved down Netsky.d, Lovgate.w, Mydoom.g, Netsky.r, Mydoom.e, Swen
No change Zafi.b, Netsky.aa, Netsky.b, Netsky.q, Bagle.z, Netsky.y
Returned Sobig.f

Virus Top Twenty for July 2004

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox