Malware reports

Virus Top Twenty for March 2007

Position Change in position Name Proactive Detection Flag Percentage
1. New!
Trojan-Spy.HTML.Bankfraud.ra n/a* 31.93
2. Up
Email-Worm.Win32.NetSky.q Trojan.generic 13.96
3. Down
-1 Trojan.generic 10.69
4. Down
Email-Worm.Win32.NetSky.t Trojan.generic 8.50
5. New!
Email-Worm.Win32.Warezov.jx Trojan.generic 8.23
6. Up
Email-Worm.Win32.NetSky.aa Trojan.generic 3.89
7. No Change
Net-Worm.Win32.Mytob.c Trojan.generic 2.32
8. Up
Email-Worm.Win32.Scano.gen Trojan.generic 1.60
9. Up
Email-Worm.Win32.NetSky.b Trojan.generic 1.38
10. Return
Email-Worm.Win32.Mydoom.l Trojan.generic +
Hidden Install
11. Up
Exploit.Win32.IMG-WMF.y Data Execution +
Registry Access
12. Return
Worm.Win32.Feebs.gen Hidden Data Sending 1.22
13. Return
Return Trojan.generic +
Registry Access
14. Return
Email-Worm.Win32.NetSky.x Trojan.generic 1.03
15. Return
Email-Worm.Win32.Mydoom.m Trojan.generic 0.88
16. Down
Email-Worm.Win32.Zhelatin.dam ** 0.82
17. Up
Email-Worm.Win32.Bagle.gen Trojan.generic +
Registry access
18. Return
Return Trojan.generic 0.63
19. Return
Net-Worm.Win32.Mytob.dam ** 0,53
20. Down
-3 ** 0,51
Other malicious programs 7.33
* – this is an HTML page and does not display any behavior
** – non-functional sample

The virus world remains in a state of flux. In the first three months of 2007, we’ve seen three different malicious programs topping the ratings. Each month there are more and more new malicious programs, wave following on wave, and taking up their places in our Top Twenties. What’s more, it’s clear that many of these programs are competing with each other for supremacy.

Let’s take a moment to look back over the past few months. The end of 2006 was characterized by Warezov worms. Hundreds of Warezov variants flooded the Internet over a period of three months, and this looked set to continue for some time to come. However, in January Bagle reappeared out of nowhere, and one variant of this worm was the most widespread malicious program in mail traffic. In February, the epidemic caused by Zhelatin variants peaked, with six modifications of this worm finding a place in the Top Twenty. All the worms mentioned above were designed with one aim in mind: mass mailing spam from infected computers. Their prevalence caused a noticeable increase in the volume of spam, as nearly all antivirus companies noted.

This month’s leader, Trojan-Spy.HTML.Bankfraud.ra is also the result of recent virus epidemics. This Trojan is a typical phishing email, and millions of copies have been sent around the world. We’ve also noticed that this malicious program has been mass mailed several times. Bankfraud.ra was first detected on 27th February 2007, and in the space of a single month reached such a volume that this month it accounts for more than 30% of all malicious programs detected in mail traffic.

The Trojan targets clients of the Branch Banking and Trust Company (BB&T). It attempts to lure them to fake web sites registered by their undoubtedly malicious users in Croatia and the Cocos (Keeling) Islands.

Out of the other viruses in the top five, it should be noted that makes up almost the same volume of infected mail traffic as last month. If Bankfraud.ra disappears from the ratings in April, it seems likely that will head the table. Netsky.t and Netsky.q have swapped places, with one halving its presence in mail traffic, and the other doubling its share. And of course the authors of Warezov haven’t thrown in the towel yet; in March, the most successful of their creations was Warezov.jx, which made it to fifth place.

There are no other new malicious programs in the March Top Twenty. On the other hand, we are continuing to see older malicious programs re-entering, and then remaining in our ratings. Out of the four returnees in February, two have not only remained, but have increased their presence in infected traffic. In March, another six malicious programs returned to the rankings, including the veterans of the virus wars, such as Feebs.gen, Mydoom.m and It should again be stressed that the reappearance of these old viruses are probably caused by users who either don’t use an antivirus, or who haven’t updated their antivirus for several months, leading to new mass mailings of old worms which we thought we had seen the last of.

Other malicious programs made up a moderate percentage (7.33%) of all malicious code found in mail traffic, indicating that a number of other worms and Trojans are currently actively circulating.


  • New: Trojan-Spy.HTML.Bankfraud.ra, Email-Worm.Win32.Warezov.jx
  • Moved up: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.b, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.Bagle.gen
  • Moved down:, Email-Worm.Win32.NetSky.t, Email-Worm.Win32.Zhelatin.dam,
  • Re-entry: Email-Worm.Win32.Mydoom.l, Worm.Win32.Feebs.gen,, Email-Worm.Win32.NetSky.x, Email-Worm.Win32.Mydoom.m,, Net-Worm.Win32.Mytob.dam

Virus Top Twenty for March 2007

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox