Virus Top Twenty for May 2005

Position	Change in position	Name	Percentage
1.	0	Net-Worm.Win32.Mytob.c	24.28
2.	0	Email-Worm.Win32.NetSky.q	15.54
3.	0	Email-Worm.Win32.NetSky.aa	5.27
4.	0	Email-Worm.Win32.NetSky.b	4.00
5.	+1	Email-Worm.Win32.Zafi.b	3.71
6.	-1	Email-Worm.Win32.LovGate.w	3.30
7.	New!	Email-Worm.Win32.Sober.p	3.21
8.	+1	Net-Worm.Win32.Mytob.u	3.17
9.	-1	Email-Worm.Win32.Zafi.d	3.05
10.	-3	Net-Worm.Win32.Mytob.q	2.91
11.	0	Email-Worm.Win32.Mydoom.l	1.89
12.	+6	Net-Worm.Win32.Mytob.h	1.83
13.	+4	Net-Worm.Win32.Mytob.t	1.78
14.	New!	Worm.Win32.Eyeveg.f	1.63
15.	-5	Email-Worm.Win32.NetSky.d	1.61
16.	New!	Net-Worm.Win32.Mytob.au	1.52
17.	-5	Email-Worm.Win32.Mydoom.m	1.48
18.	New!	Net-Worm.Win32.Mytob.ar	1.46
19.	-4	Email-Worm.Win32.NetSky.t	1.38
20.	-7	Email-Worm.Win32.NetSky.x	1.19
Other malicious programs			15.79

After a large number of new malicious programs from the Mytob family appeared in the April Top Twenty, May has been relatively quiet. The six top worms have retained their places, with only LovGate and Zafi changing places with each other. Mytob.continues to head the ratings, followed by three old friends from the NetSky family.

Far more interesting is what happened outside this leading group. Mytob seriously shook up the Top Twenty in April, with six different variants, and it seemed unlikely that any new virus would give Mytob a run for its money. Nevertheless, there are some new entrants to this month’s ratings.

Seventh place this month is occupied by a new version of the German worm, Sober.p. It was detected on 2nd May, and took in the course of a week gained a significant foothold in the European segment of the Internet. This broke ground for the following version, Sober.q. which was detected on 14th May. Sober.q didn’t make it into the Top Twenty for the simple reason that it’s not really a worm, but more of a robot which spammed far right political propaganda.

In spite of the competition, or perhaps because of it, the authors of Mytob decided not to rest on their laurels, seemingly setting themselves the target of filling the entire Top Twenty with their creations. In April there were six Mytobs in our ratings, and another two joined them in May – Mytob.ar and Mytob.au. However, as Mytob.r only made it into 21st place, the versions in our rankings now total 7. New Mytobs are being detected with frightening regularity, once every three days, so it seems certain that this family will continue to figure in our monthly reviews.

The fourth, and final new entrant was Eyeveg.f. Although Eyeveg.a, the first version in this family, was detected in September 2003, the Top Twenty has never included a worm from this family before, so it’s worth taking a closer look at it.

Eyeveg.f, currently in 14th place, differs from traditional email worms in that it contains a Browser Helper Object, which when installed works within the Internet Explorer process. In the case of Eyeveg, this functions as a keylogger, tracking exactly which keys are pressed on the keyboard of the victim machine and then sending this information to a remote malicious user. Two other versions of Eyeveg were detected in May, but were relatively unsuccessful: Eyeveg.g took 23rd place, and Eyeveg.h didn’t even figure in the 50 most widespread malicious programs this month.

The rest of the Top Twenty continues to exhibit its own Brownian motion, with various NetSkys and Mydooms floating up and down in a backdrop to other virus activity. And the background is one composed of tens of thousands of infected machines – a background where antivirus solutions are never used, and the operating systems are never updated.

Other malicious programs made up a significant percentage of all those intercepted in mail traffic, 15.79%. This shows that a large number of worms and Trojans from other families are still circulating throughout the Internet.

Summary: