Malware reports

Virus Top Twenty for July 2005

Position Change in position Name Percentage
1. Up

2. Down

3. Up

4. Down

5. Down
6. No Change

7. Down

8. New!
9. Down

10. Up
11. Up
12. Return

13. Down

14. Down
15. Down

16. Down

17. Down

18. Down

19. Return

20. Return

Other malicious programs 18.86

Amazing things are happening in the world of computer viruses. No sooner had a new generation of network worms made its presence felt, and some of the veterans disappeared from our ratings, than the old favourites made themselves known again, and in no uncertain terms.

And this is what happened in July. Mytob.c had been at the top of the ratings for three months, having deposed 2004’s leader, NetSky.q. More and more variants of the Mytob family appeared, and the Virus Top Twenty was threatening to turn into a Mytob Top Twenty.

But suddenly everything changed. NetSky.q is once again in first place, in its own strange way marking the sentence given to its author Sven Jaschan. In spite of the fact that yet another Mytob has appeared in the Top Twenty, the overall number of Mytobs has fallen from 13 to 10. And they have been squeezed out not by new worms, but by our old friends from the Bagle, Zafi, Mydoom and of course NetSky families.

Of course, the most surprising factor here is Zafi, for the second month in a row. In June, Zafi.d rose 6 places in the ratings, bringing it to 3rd place. In July, almost exactly the same thing happened with Zafi.b! This worm rose five places, gaining the very same 3rd place. In this way, the two Hungarian polyglot worms – they send spam in more than 15 European languages – find themselves in the top five. Completely unexpected, and as yet we have no concrete explanation for why this has happened.

There is only one new entry to the Top Twenty – This variant is almost identical to its predecessors – the authors of Mytob, who call themselves HELLBOT, are continuing to experiment with packers (hoping that newly packed variants will evade detection) or changing the bot function, and the list of IRC channels used to control the program. This is being done because channels used by previous variants have been quickly closed by IRC server administrators.

The various Mytobs are well entrenched in the top ten, taking 2nd, 5th, 6th, 8th and 10th place. brings up the rear in the top ten, and this program was leader of the month in terms of statistics, rising a whole 8 places at once. The same figure applies to another veteran of the ratings, LovGate.w, although this time the movement is downwards. If LovGate.w continues to fall in the ratings, the Korean worm won’t be in evidence next month.

Most interesting of all is the trio of worms which have returned to the Top Twenty. It is these worms which have caused Mytob to lose position, and they have taken the places previously occupied by Mytob variants.

First in line is NetSky.d. It was last seen in May, in 15th position, and in June it fell off the bottom of the ratings, and has now returned in triumph to 12th place. The four NetSky representatives are in 1st, 7th, 9th and 12th place. With this showing, the decision of the German court to give Sven Jaschan an 18 month suspended sentence and 30 hours community service seems all the more amazing.

The other two returnees are in 19th and 20th place, at the very bottom of the ratings. However, if Mytob continues to move down the chart, these two may well rise further up the table.

Mydoom.m is one of Mytob’s older brothers. Mytob variants and Mydoom.m are all based on the source code of Mydoom.a, and are a clear example of the consequences of publishing virus source code on the Internet. It’s just as dangerous, and in fact even more harmful that spreading a single virus or worm, as it incites other virus writers to use the source code in their malicious programs. Who knows what would have happened if the source code of Mydoom.m had not been published on the Internet in February 2004? How would the virus landscape today have been different? One thing is clear – there would have been no new Mydooms or Mytobs in the ratings this month.

Rounding off the Top Twenty is one of the many Bagles, this time Bagle.ah. This old familiar virus is marking the one year anniversary of its detection with an inexplicable burst of activity.

Other malicious programs make up a significant percentage (18.86%) of all those intercepted in mail traffic. This indicates that a large number of worms and Trojans from other families are still in circulation.


Returned NetSky.d, Mydoom.m, Bagle.ah
Moved up NetSky.q, Zafi.b,,
Moved down Mytob.c, Zafi.d,, NetSky.aa, NetSky.b, Mytob.u,, LovGate.w, Mytob.q, Mytob.u, Mytob.t, Mydoom.l
No change Mytob.bk

Virus Top Twenty for July 2005

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox