Malware reports

Virus Top Twenty for July 2006

Position Change in position Name Percentage
1. No Change
Net-Worm.Win32.Mytob.c 25.32
2. No Change
Email-Worm.Win32.Nyxem.e 24.24
3. Up
Email-Worm.Win32.NetSky.b 5.84
4. Down
Email-Worm.Win32.LovGate.w 5.83
5. Up
Net-Worm.Win32.Mytob.q 3.14
6. Up
Email-Worm.Win32.NetSky.y 3.03
7. Up
Net-Worm.Win32.Mytob.u 2.97
8. Down
Net-Worm.Win32.Mytob.t 2.97
9. Up
Net-Worm.Win32.Mytob.w 2.07
10. Up
Net-Worm.Win32.Mytob.r 1.64
11. Up
Email-Worm.Win32.NetSky.x 1.48
12. Down
Net-Worm.Win32.Mytob.a 1.44
13. Up
Net-Worm.Win32.Mytob.gen 1,21
14. New!
New 1.07
15. Down
Net-Worm.Win32.Mytob.x 0.95
16. Up
+1 0.94
17. Down
-12 0.92
18. Return
Return 0.87
19. Return
Email-Worm.Win32.Scano.e 0.74
20. Down
Net-Worm.Win32.Mytob.bx 0.74
Other malicious programs 12.59

June differed from previous months, with a noticeable outbreaks caused by the unexpected return of Nyxem.e. This worm made up almost 17% of the malicious code detected in email, a clear indication that if Nyxem could potentially take first place in our rankings in July. However, although the worm spread widely, Mytob.c retained first place, in spite of the fact that it lost 4% on the previous month. This month, Nyxem.e. and Mytob.c are separated by a single percentage point – this makes it all the more interesting to see what will happen in August.

August is traditionally the month for epidemics. And there’s clear evidence of that in the last three years alone: 2003 – Lovesan, 2004 – numerous Mydoom variants, 2005 – Mytob/ Bozori (aka Zotob). However, nearly all of these outbreaks were preceded by the disclosure of Windows vulnerabilities. So the answer to the question whether there will be an epidemic this August will depend on whether new vulnerabilities are found.

However, this year the risk of an August epidemic is probably minimal. The last significant epidemic was caused by Nyxem.e in January this year. The only malicious programs which might be able to cause a serious outbreak, such as Scano or Bagle, are only showing brief flashes of activity.

Some of the events of June carried over into July. NetSky.q, the ultimate leader of 2004, a frequent visitor to the top of the table in 2005 and the first half of 2006, continued its retreat. In June, this worm fell 12 places, from 3rd to 15th place. In July it left the rankings altogether, achieving on 22nd place with 0.69%. Exactly the same happened with NetSky.t: it returned to the rankings at the beginning of the year, rose steadily up the table, dropped from 5th to 20th place in June, and this month fell to 25th place, with 0.65%.

All of this is rather strange. We’re not seeing new worms, and out of the old, well known families, it’s the numerous Mytob variants which are asserting themselves. June brought the return of, and a newcomer,, to the rankings.

Although most NetSky variants have disappeared off the bottom of the table, a few are still hanging on, even becoming slightly more prevalent. At the moment, we don’t have any explanation for this selective behaviour within the same family.

The LovGate family noticeably lost ground – three variants of this worm have figured in recent Top Twenties, but June’s rankings only have two. Although LovGate.w is still holding its own in the top five, dropped twelve places and may well follow NetSky.q and .t out of the rankings in August.

Scano.e, a polymorphic script worm, is continuing to hover at the bottom of the table. We’ve seen it in the ratings before; in June it appeared in 19th place, seemingly simply to remind users of its existence. Scano’s day is clearly over. We’re far more likely to see Feebs, a similar worm, making an appearance, and it does regularly figure in our online scanner statistics.

Other malicious programs made up 12.59% of those intercepted in mail traffic, showing that a relatively large number of Trojans and worms from other families are still in active circulation.


Moved up NetSky.b, Mytob.q, NetSky.y, Mytob.u, Mytob.w, Mytob.r, NetSky.x, Mytob.gen,
Moved down LovGate.w,, Mytob.t, Mytob.a, Mytob.x, Mytob.bx
No change Net-Worm.Win32.Mytob.c, Email-Worm.Win32.Nyxem.e
Re-entry, Scano.e

Virus Top Twenty for July 2006

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox