Malware reports

Virus Top Twenty for July 2006

Position Change in position Name Percentage
1. No Change
0
Net-Worm.Win32.Mytob.c 25.32
2. No Change
0
Email-Worm.Win32.Nyxem.e 24.24
3. Up
+1
Email-Worm.Win32.NetSky.b 5.84
4. Down
-1
Email-Worm.Win32.LovGate.w 5.83
5. Up
+2
Net-Worm.Win32.Mytob.q 3.14
6. Up
+5
Email-Worm.Win32.NetSky.y 3.03
7. Up
+1
Net-Worm.Win32.Mytob.u 2.97
8. Down
-2
Net-Worm.Win32.Mytob.t 2.97
9. Up
+7
Net-Worm.Win32.Mytob.w 2.07
10. Up
+4
Net-Worm.Win32.Mytob.r 1.64
11. Up
+1
Email-Worm.Win32.NetSky.x 1.48
12. Down
-2
Net-Worm.Win32.Mytob.a 1.44
13. Up
+5
Net-Worm.Win32.Mytob.gen 1,21
14. New!
New
Net-Worm.Win32.Mytob.cg 1.07
15. Down
-6
Net-Worm.Win32.Mytob.x 0.95
16. Up
+1
Email-Worm.Win32.NetSky.af 0.94
17. Down
-12
Email-Worm.Win32.LovGate.ad 0.92
18. Return
Return
Net-Worm.Win32.Mytob.ar 0.87
19. Return
Return
Email-Worm.Win32.Scano.e 0.74
20. Down
-1
Net-Worm.Win32.Mytob.bx 0.74
Other malicious programs 12.59

June differed from previous months, with a noticeable outbreaks caused by the unexpected return of Nyxem.e. This worm made up almost 17% of the malicious code detected in email, a clear indication that if Nyxem could potentially take first place in our rankings in July. However, although the worm spread widely, Mytob.c retained first place, in spite of the fact that it lost 4% on the previous month. This month, Nyxem.e. and Mytob.c are separated by a single percentage point – this makes it all the more interesting to see what will happen in August.

August is traditionally the month for epidemics. And there’s clear evidence of that in the last three years alone: 2003 – Lovesan, 2004 – numerous Mydoom variants, 2005 – Mytob/ Bozori (aka Zotob). However, nearly all of these outbreaks were preceded by the disclosure of Windows vulnerabilities. So the answer to the question whether there will be an epidemic this August will depend on whether new vulnerabilities are found.

However, this year the risk of an August epidemic is probably minimal. The last significant epidemic was caused by Nyxem.e in January this year. The only malicious programs which might be able to cause a serious outbreak, such as Scano or Bagle, are only showing brief flashes of activity.

Some of the events of June carried over into July. NetSky.q, the ultimate leader of 2004, a frequent visitor to the top of the table in 2005 and the first half of 2006, continued its retreat. In June, this worm fell 12 places, from 3rd to 15th place. In July it left the rankings altogether, achieving on 22nd place with 0.69%. Exactly the same happened with NetSky.t: it returned to the rankings at the beginning of the year, rose steadily up the table, dropped from 5th to 20th place in June, and this month fell to 25th place, with 0.65%.

All of this is rather strange. We’re not seeing new worms, and out of the old, well known families, it’s the numerous Mytob variants which are asserting themselves. June brought the return of Mytob.ar, and a newcomer, Mytob.cg, to the rankings.

Although most NetSky variants have disappeared off the bottom of the table, a few are still hanging on, even becoming slightly more prevalent. At the moment, we don’t have any explanation for this selective behaviour within the same family.

The LovGate family noticeably lost ground – three variants of this worm have figured in recent Top Twenties, but June’s rankings only have two. Although LovGate.w is still holding its own in the top five, LovGate.ad dropped twelve places and may well follow NetSky.q and .t out of the rankings in August.

Scano.e, a polymorphic script worm, is continuing to hover at the bottom of the table. We’ve seen it in the ratings before; in June it appeared in 19th place, seemingly simply to remind users of its existence. Scano’s day is clearly over. We’re far more likely to see Feebs, a similar worm, making an appearance, and it does regularly figure in our online scanner statistics.

Other malicious programs made up 12.59% of those intercepted in mail traffic, showing that a relatively large number of Trojans and worms from other families are still in active circulation.

Summary

New Mytob.cg
Moved up NetSky.b, Mytob.q, NetSky.y, Mytob.u, Mytob.w, Mytob.r, NetSky.x, Mytob.gen, NetSky.af
Moved down LovGate.w, LovGate.ad, Mytob.t, Mytob.a, Mytob.x, Mytob.bx
No change Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Nyxem.e
Re-entry Mytob.ar, Scano.e

Virus Top Twenty for July 2006

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox