Virus Top Twenty for March 2007

Position	Change in position	Name	Proactive Detection Flag	Percentage
1.	New	Trojan-Spy.HTML.Bankfraud.ra	n/a*	31.93
2.	+2	Email-Worm.Win32.NetSky.q	Trojan.generic	13.96
3.	-1	Email-Worm.Win32.Bagle.gt	Trojan.generic	10.69
4.	-4	Email-Worm.Win32.NetSky.t	Trojan.generic	8.50
5.	New	Email-Worm.Win32.Warezov.jx	Trojan.generic	8.23
6.	+4	Email-Worm.Win32.NetSky.aa	Trojan.generic	3.89
7.	0	Net-Worm.Win32.Mytob.c	Trojan.generic	2.32
8.	+6	Email-Worm.Win32.Scano.gen	Trojan.generic	1.60
9.	+7	Email-Worm.Win32.NetSky.b	Trojan.generic	1.38
10.	Return	Email-Worm.Win32.Mydoom.l	Trojan.generic + Hidden Install	1.32
11.	+9	Exploit.Win32.IMG-WMF.y	Data Execution + Registry Access	1.25
12.	Return	Worm.Win32.Feebs.gen	Hidden Data Sending	1.22
13.	Return	Email-Worm.Win32.Warezov.do	Trojan.generic + Registry Access	1.20
14.	Return	Email-Worm.Win32.NetSky.x	Trojan.generic	1.03
15.	Return	Email-Worm.Win32.Mydoom.m	Trojan.generic	0.88
16.	-13	Email-Worm.Win32.Zhelatin.dam	**	0.82
17.	+2	Email-Worm.Win32.Bagle.gen	Trojan.generic + Registry access	0.78
18.	Return	Net-Worm.Win32.Mytob.bt	Trojan.generic	0.63
19.	Return	Net-Worm.Win32.Mytob.dam	**	0,53
20.	-3	Packed.Win32.PePatch.gr	**	0,51
Other malicious programs				7.33
* – this is an HTML page and does not display any behavior ** – non-functional sample

The virus world remains in a state of flux. In the first three months of 2007, we’ve seen three different malicious programs topping the ratings. Each month there are more and more new malicious programs, wave following on wave, and taking up their places in our Top Twenties. What’s more, it’s clear that many of these programs are competing with each other for supremacy.

Let’s take a moment to look back over the past few months. The end of 2006 was characterized by Warezov worms. Hundreds of Warezov variants flooded the Internet over a period of three months, and this looked set to continue for some time to come. However, in January Bagle reappeared out of nowhere, and one variant of this worm was the most widespread malicious program in mail traffic. In February, the epidemic caused by Zhelatin variants peaked, with six modifications of this worm finding a place in the Top Twenty. All the worms mentioned above were designed with one aim in mind: mass mailing spam from infected computers. Their prevalence caused a noticeable increase in the volume of spam, as nearly all antivirus companies noted.

This month’s leader, Trojan-Spy.HTML.Bankfraud.ra is also the result of recent virus epidemics. This Trojan is a typical phishing email, and millions of copies have been sent around the world. We’ve also noticed that this malicious program has been mass mailed several times. Bankfraud.ra was first detected on 27th February 2007, and in the space of a single month reached such a volume that this month it accounts for more than 30% of all malicious programs detected in mail traffic.

The Trojan targets clients of the Branch Banking and Trust Company (BB&T). It attempts to lure them to fake web sites registered by their undoubtedly malicious users in Croatia and the Cocos (Keeling) Islands.

Out of the other viruses in the top five, it should be noted that Bagle.gt makes up almost the same volume of infected mail traffic as last month. If Bankfraud.ra disappears from the ratings in April, it seems likely that Bagle.gt will head the table. Netsky.t and Netsky.q have swapped places, with one halving its presence in mail traffic, and the other doubling its share. And of course the authors of Warezov haven’t thrown in the towel yet; in March, the most successful of their creations was Warezov.jx, which made it to fifth place.

There are no other new malicious programs in the March Top Twenty. On the other hand, we are continuing to see older malicious programs re-entering, and then remaining in our ratings. Out of the four returnees in February, two have not only remained, but have increased their presence in infected traffic. In March, another six malicious programs returned to the rankings, including the veterans of the virus wars, such as Feebs.gen, Mydoom.m and Warezov.do. It should again be stressed that the reappearance of these old viruses are probably caused by users who either don’t use an antivirus, or who haven’t updated their antivirus for several months, leading to new mass mailings of old worms which we thought we had seen the last of.

Other malicious programs made up a moderate percentage (7.33%) of all malicious code found in mail traffic, indicating that a number of other worms and Trojans are currently actively circulating.

Summary:

• New: Trojan-Spy.HTML.Bankfraud.ra, Email-Worm.Win32.Warezov.jx
• Moved up: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Email-Worm.Win32.NetSky.b, Exploit.Win32.IMG-WMF.y, Email-Worm.Win32.Bagle.gen
• Moved down: Email-Worm.Win32.Bagle.gt, Email-Worm.Win32.NetSky.t, Email-Worm.Win32.Zhelatin.dam, Packed.Win32.PePatch.gr
• Re-entry: Email-Worm.Win32.Mydoom.l, Worm.Win32.Feebs.gen, Email-Worm.Win32.Warezov.do, Email-Worm.Win32.NetSky.x, Email-Worm.Win32.Mydoom.m, Net-Worm.Win32.Mytob.bt, Net-Worm.Win32.Mytob.dam