Malware reports

Virus Top Twenty for June 2005

Position Change in position Name Percentage
1. No Change
0

Net-Worm.Win32.Mytob.c
19.55
2. No Change
0

Email-Worm.Win32.NetSky.q
11.50
3. Up
+6

Email-Worm.Win32.Zafi.d
5.33
4. New
New

Net-Worm.Win32.Mytob.be
4.68
5. Down
-2

Email-Worm.Win32.NetSky.aa
4.60
6. New
New

Net-Worm.Win32.Mytob.bk
4.02
7. Down
-1

Email-Worm.Win32.LovGate.w
3.66
8. Down
-4

Email-Worm.Win32.NetSky.b
3.31
9. Down
-4

Email-Worm.Win32.Zafi.b
3.25
10. Up
+8

Net-Worm.Win32.Mytob.ar
2.97
11. Down
-1

Net-Worm.Win32.Mytob.q
2.67
12. Down
-3

Net-Worm.Win32.Mytob.u
2.49
13. New
New

Net-Worm.Win32.Mytob.bf
2.04
14. Up
+2

Net-Worm.Win32.Mytob.au
2.04
15. Down
-3

Net-Worm.Win32.Mytob.h
1.87
16. Down
-3

Net-Worm.Win32.Mytob.t
1.85
17. Down
-6

Email-Worm.Win32.Mydoom.l
1.55
18. New
New

Net-Worm.Win32.Mytob.bi
1.48
19. New
New

Net-Worm.Win32.Mytob.ba
1.47
20. New
New

Net-Worm.Win32.Mytob.bd
1.39
Other malicious programs 18.28

Mytob. Mytob was flavor of the month in June. We had Mytob with worm and bot capabilities, Mytob without bot capabilities, Mytob packed with one, two or three packers and so forth. In short, Mytob variants dominated email traffic this month.

Mytob.c maintained the leading position it occupied in both April and May making NetSky.q, the worm which occupied first place the longest in 2004, unlikely to regain first place. Interestingly, both worms have lost points in terms of overall percentage of traffic: the losses are directly in proportion to the increase in the percentage of other malicious programs.

The endless Mytobs left so little space for other worms that all 6 newcomers to the ratings are members of this prolific family. Some of these new worms are simple worms, without botnet capability. This is a change from the recent trend where virus writers include botnet capability in most new worms.

Surprisingly, Zafi.d jumped from ninth to third place – the second largest increase in June. This unexpected surge does not fit into the general pattern of Mytob domination. On the other hand, Mytob.be, a new variant which took fourth place is entirely explicable given the plethora of Mytobs this month.

Lovgate – the worm that refuses to die – has been in the top ten for over a year. This is mostly due to a high rate of Lovgate infections in China, where many users lack adequate anti-virus protection. Mytob also has connections to Asia: it’s reasonable, therefore, to assume that we will be seeing Mytobs in the ratings for many months to come.

Other facts worth noting in the June Top Twenty include Mytob.ar soaring from 18th place to 10th, and the complete disappearance of Bagle and Sober. The last Mydoom remaining in the ratings fell to 17th place, leading us to predict that Mydoom will follow Bagle and Sober into oblivion. This leaves only NetSky to represent the most dangerous worms from 2004 in the July ratings.

The share of malware detected in email traffic that did not make it into the Top Twenty has been increasing steadily all year: from 6.68% in January to 18.28% in June. This is partially due to the fact that malware writers are using individualized worms and Trojans to target specific user groups instead of relying mostly on mass mailings to infect random users.

Summary:

New Mytob.be, Mytob.bk, Mytob.bf, Mytob.bi, Mytob.ba, Mytob.bd
Moved up Zafi.d, Mytob.ar, Mytob.au
Moved down Netsky.aa, LovGate.w, Netsky.b, Zafi.b, Mytob.q, Mytob.u, Mytob.h, Mytob.t, Mydoom.l

No change Mytob.c, NetSky.q

Virus Top Twenty for June 2005

Your email address will not be published. Required fields are marked *

 

Reports

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox