Malware reports

Virus Top Twenty for March 2005

Position Change in position Name Percentage
1. +1 Email-Worm.Win32.NetSky.q 27.76
2. +5 Email-Worm.Win32.NetSky.aa 9.01
3. + 2 Email-Worm.Win32.NetSky.b 8.84
4. New Net-Worm.Win32.Mytob.c 8.21
5. +7 Email-Worm.Win32.Lovgate.w 4.48
6. -3 Email-Worm.Win32.Zafi.d 4.47
7. -6 Email-Worm.Win32.Zafi.b 3.86
8. Email-Worm.Win32.Mydoom.m 3.52
9. +4 Email-Worm.Win32.NetSky.d 3.05
10. +1 Email-Worm.Win32.Mydoom.l 2.77
11. -1 Email-Worm.Win32.NetSky.y 2.27
12. +2 Email-Worm.Win32.NetSky.x 1.58
13. +2 Email-Worm.Win32.NetSky.r 1.44
14. +3 Email-Worm.Win32.NetSky.t 1.32
15. +1 Email-Worm.Win32.Bagle.ai 1.03
16. -10 Email-Worm.Win32.Bagle.at 1.00
17. – 13 Email-Worm.Win32.Bagle.ay 0.92
18. Re-entry Email-Worm.Win32.Lovgate.ae 0.91
19. New Trojan-Spy.HTML.Bankfraud.dq 0.69
20. Re-entry Email-Worm.Win32.Bagle.gen 0.59
Other malicious programs 12.28

The situation that we’ve seen for the past few months continues, with Bagle, NetSky, Mydoom, Zafi and Lovgate competing with each other for places in our rankings. This month, our top three has changed again, with NetSky taking the top three places for the first time this year. And heading the chart is NetSky.q, the most widespread worm of 2004.

A surprise this month was the appearance of Mytob, a completely new family of worms. Malicious programs from this family are spreading actively, and Mytob.c, which was first detected on 4th March, is already in 4th place. This version is still spreading fast, and at the moment of writing, it’s effectively heading the table. The other 15 versions of Mytob, in comparison with Mytob.c, are relatively inactive.

Analysis shows that source code from Mydoom.a was used to create Mytob. However, some changes were made: Mytob also propagates via the LSASS vulnerability in the same way that Sasser did. This means that the worm has two replication mechanisms, which makes it a dangerous opponent indeed.
Lovgate.w still maintains a presence in our Top Twenty, continuing to move up and down the table – this month it jumped up 7 places. And Lovgate.ae, another representative of this family is also back in our rankings this month.

An interesting point this month is the fall of Zafi; in February, this worm occupied 1st and 3rd place, but in March it has slid down to 6th and 7th place. The Hungarian worm has never been so low in the ratings. This may be an indication that Zafi will gradually disappear from mail traffic, although NetSky and Mydoom are evidence of how long some of the older viruses can maintain their presence in the Internet.

As for the rest of March’s Top Twenty, there are two other particular points of interest.

Firstly is the fact that Bagle is still moving down the rankings, with Bagle.at and Bagle.ay occupying 10th and 13th place respectively. These worms, which were up there with the leaders in February, seem to have been sapped of their strength. Attempts to use these worms to cause a global epidemic seem to have been in vain, perhaps because they were quickly blocked by antivirus companies and ISPs.

Still on the subject of Bagle, during one 24 hour period in March the authors of this worm launched more than 10 new variants in the Internet. However, none of these versions managed to provoke even an outbreak. We released a generic detection for all these worms in the middle of the month, Bagle.pac, which came in in 50th place, showing that these worms were making up a mere 0.12% of all mail traffic in March.

Secondly, as per tradition, Trojan-Spy.HTML is still occupying a place in the Top Twenty. These malicious programs are used for phishing attacks, stealing the confidential data of users of on-line banking systems. In February our Trojan-Spy was Smitfraud, targeting clients of Smith Barney, and in March its place was taken by Bankfraud.dq, which targeted users of Regions.com

This month a relatively large amount of other malicious programs were detected, making up 12.28% of malicious traffic intercepted. This shows that there are still a large number of worms and Trojan programs from other families still circulating.

Summary:

New Mytob.c, Bankfraud.dq
Moved up NetSky.q, NetSky.aa, NetSky.b, Lovgate.w, NetSky.d, Mydoom.l, NetSky.x, NetSky.r, NetSky.t, Bagle.ai
Moved down Zafi.d, Zafi.b, NetSky.y, Bagle.at, Bagle.ay
Re-appeared Mydoom.m
No change Bagle.gen, Lovgate.ae

Virus Top Twenty for March 2005

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox