Malware reports

Virus Top Twenty for June 2004

4-1I-Worm.Netsky.q5.38%

Position Change in position Name Percentage by occurrence
1 new I-Worm.Zafi.b 33.97%
2 -1 I-Worm.Netsky.aa 18.44%
3 -1 I-Worm.Netsky.b 16.76%
5 no change I-Worm.Bagle.z 5.04%
6 no change I-Worm.NetSky.d 2.78%
7 -3 I-Worm.NetSky.y 2.38%
8 -1 I-Worm.LovGate.w 1.89%
9 -1 I-Worm.NetSky.t 1.57%
10 no change I-Worm.Mydoom.e 0.66%
11 +3 I-Worm.NetSky.r 0.64%
12 -3 I-Worm.Swen 0.64%
13 no change I-Worm.NetSky.c 0.56%
14 -3 I-Worm.Mydoom.g 0.53%
15 -3 I-Worm.NetSky.o 0.51%
16 -1 I-Worm.Bagle.y 0.50%
17 +1 EXPLOIT.HTML.ObjData 0.43%
18 -2 I-Worm.Sober.g 0.42%
19 re-entry I-Worm.Netsky.z 0.33%
20 re-entry I-Worm.NetSky.m 0.27%
Other malicious programs (not in the Top 20) 6.31%

June 2004 has probably turned out to be the quietest month this year : so far. It’s hard to tell why: maybe virus writers have been lying low due to arrests of coders worldwide or maybe antivirus vendors have succeeded in clearing up the aftermath of previous outbreaks. In any case, we only have one new entrant in the top twenty this month. Zafi.b

I-Worm.Zafi.b was written in Hungary and spread rapidly throughout Europe leaving the NetSky family in the dust. The most likely explanation for Zafi’s success lies in the clever social engineering techniques the senders used. The worm arrived in emails written in 18 different languages – depending on the IP address of the recipients. The actual texts were not very original – the usual fake warning from email providers or offers to view interesting photos.

The past two months have seen a successful crackdown on cyber crime – almost 10 coders were arrested in different countries. With any luck, we should see the arrest of Zafi’s author sometime soon.

The rest of the June top twenty is almost identical to May’s hit parade. Some email worms lost or gained a few places, but many remained in exactly the same place (a detailed analysis is available in earlier Top 20 lists).</p.

It is worth noting that Exploit.HTML.ObjData has gained strength, whereas Klez.h, a classic network worm, has finally disappeared from the list after a record breaking two-year stint.

However, the calm before the storm was disturbed by a slew of backdoor-worms – Internet worms with spy features. The LSASS vulnerability that Sasser underscored served as a catalyst for this trend. Hundreds of malicious programs are now exploiting this vulnerability shifting the paradigm of virus propagation from email to the Internet via attacks on open ports.

Other malware continued to make up a significant proportion of overall virus traffic in the Internet this month with almost 300 different viruses detected.

Summary

new viruses I-Worm.Zafi.b
moved up: NetSky.r, Exploit.HTML.ObjData
moved down NetSky.aa, NetSky.b, NetSky.q, NetSky.y, LovGate.w, Netsky.t, Swen, Mydoom.g, NetSky.o, Bagle.y, and Sober.g
no change Bagle.z, NetSky.d, Mydoom.e, Netsky.c
returned NetSky.z, NetSky.m

Virus Top Twenty for June 2004

Your email address will not be published. Required fields are marked *

 

Reports

How to catch a wild triangle

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Subscribe to our weekly e-mails

The hottest research right in your inbox