Malware reports

Virus Top Twenty for June 2004


Position Change in position Name Percentage by occurrence
1 new I-Worm.Zafi.b 33.97%
2 -1 I-Worm.Netsky.aa 18.44%
3 -1 I-Worm.Netsky.b 16.76%
5 no change I-Worm.Bagle.z 5.04%
6 no change I-Worm.NetSky.d 2.78%
7 -3 I-Worm.NetSky.y 2.38%
8 -1 I-Worm.LovGate.w 1.89%
9 -1 I-Worm.NetSky.t 1.57%
10 no change I-Worm.Mydoom.e 0.66%
11 +3 I-Worm.NetSky.r 0.64%
12 -3 I-Worm.Swen 0.64%
13 no change I-Worm.NetSky.c 0.56%
14 -3 I-Worm.Mydoom.g 0.53%
15 -3 I-Worm.NetSky.o 0.51%
16 -1 I-Worm.Bagle.y 0.50%
17 +1 EXPLOIT.HTML.ObjData 0.43%
18 -2 I-Worm.Sober.g 0.42%
19 re-entry I-Worm.Netsky.z 0.33%
20 re-entry I-Worm.NetSky.m 0.27%
Other malicious programs (not in the Top 20) 6.31%

June 2004 has probably turned out to be the quietest month this year : so far. It’s hard to tell why: maybe virus writers have been lying low due to arrests of coders worldwide or maybe antivirus vendors have succeeded in clearing up the aftermath of previous outbreaks. In any case, we only have one new entrant in the top twenty this month. Zafi.b

I-Worm.Zafi.b was written in Hungary and spread rapidly throughout Europe leaving the NetSky family in the dust. The most likely explanation for Zafi’s success lies in the clever social engineering techniques the senders used. The worm arrived in emails written in 18 different languages – depending on the IP address of the recipients. The actual texts were not very original – the usual fake warning from email providers or offers to view interesting photos.

The past two months have seen a successful crackdown on cyber crime – almost 10 coders were arrested in different countries. With any luck, we should see the arrest of Zafi’s author sometime soon.

The rest of the June top twenty is almost identical to May’s hit parade. Some email worms lost or gained a few places, but many remained in exactly the same place (a detailed analysis is available in earlier Top 20 lists).</p.

It is worth noting that Exploit.HTML.ObjData has gained strength, whereas Klez.h, a classic network worm, has finally disappeared from the list after a record breaking two-year stint.

However, the calm before the storm was disturbed by a slew of backdoor-worms – Internet worms with spy features. The LSASS vulnerability that Sasser underscored served as a catalyst for this trend. Hundreds of malicious programs are now exploiting this vulnerability shifting the paradigm of virus propagation from email to the Internet via attacks on open ports.

Other malware continued to make up a significant proportion of overall virus traffic in the Internet this month with almost 300 different viruses detected.


new viruses I-Worm.Zafi.b
moved up: NetSky.r, Exploit.HTML.ObjData
moved down NetSky.aa, NetSky.b, NetSky.q, NetSky.y, LovGate.w, Netsky.t, Swen, Mydoom.g, NetSky.o, Bagle.y, and Sober.g
no change Bagle.z, NetSky.d, Mydoom.e, Netsky.c
returned NetSky.z, NetSky.m

Virus Top Twenty for June 2004

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox