Malware reports

Virus Top Twenty for May 2006

Kaspersky Lab’s monthly analysis of virus activity reveals waning global email worm epidemics

Position Change in position Name Percentage
1. No Change
0
Net-Worm.Win32.Mytob.c 27.61
2. Up
+1
Email-Worm.Win32.LovGate.w 10.01
3. Up
+1
Email-Worm.Win32.NetSky.q 6.13
4. Up
+1
Email-Worm.Win32.LovGate.ad 5.83
5. Down
-3
Email-Worm.Win32.NetSky.t 4.77
6. No Change
0
Email-Worm.Win32.NetSky.b 4.30
7. Up
+2
Net-Worm.Win32.Mytob.u 2.65
8. No Change
0
Net-Worm.Win32.Mytob.t 2.52
9. Up
+3
Net-Worm.Win32.Mytob.a 2.45
10. No Change
0
Net-Worm.Win32.Mytob.q 2.30
11. No Change
0
Net-Worm.Win32.Mytob.w 1.72
12. Up
+5
Email-Worm.Win32.NetSky.y 1.68
13. Return
Return
Email-Worm.Win32.LovGate.ah 1.51
14. Return
Return
Email-Worm.Win32.NetSky.x 1.27
15. New
New
Email-Worm.Win32.Scano.ab 1.20
16. Down
-1
Email-Worm.Win32.NetSky.aa 1.18
17. New
New
Net-Worm.Win32.Mytob.eg 1.12
18. Return
Return
Net-Worm.Win32.Mytob.x 1.04
19. New
New
Email-Worm.Win32.Scano.ag 0.96
20. Return
Return
Net-Worm.Win32.Mytob.bx 0.96
Other malicious programs 18.79

Our statistics for May are not very different from the statistics for April. In fact, the difference between the May and March or even April Top Twenties is also minimal. This is not a temporary phenomenon, but a feature of today’s malware landscape: global email worm epidemics are already a thing of the past.

Let’s take a look at the statistics. Mytob.c, which in February firmly settled in the top position with about 30% of all traffic, remains at the top, keeping its competitors at a safe distance. A fight for second position is still going on: Mydoom, NetSky, Bagle and Mytob have remained in the top five over the past few months and even years. But by the summer of 2006 it turned out that they have been outlasted and overtaken on the way to the top – by South Korean worms that most Europeans are not very familiar with and which have rarely been mentioned by the mass media. Two variants of LovGate have made their way to the second and fourth positions in the rating, leaving the remaining two top five positions to NetSky. Apparently, this result is due to NetSky.t going down from the second position to the fifth, reducing its presence in mail traffic almost by half. This is just what we anticipated in previous months.

In previous months we predicted that new Mytob variants would strengthen their presence, and/or that old variants would return to top positions. Our forecasts were correct: two old Mytob variants — .u and .a — have somewhat improved their position and the family now accounts for exactly one half of the top ten, including the top position. In addition, a new-generation Mytob, the .eg variant, has made its way into Top Twenty. Although two hackers suspected of being the authors of these worms were arrested last August, new variants keep appearing at a frightening rate. This must be due to the fact that the source code for this worm is publicly available. But the Mytobs are not just climbing higher and spawning new variants: they even return to the Top Twenty once in a while. The variants to make a comeback in May were .x and .bx, making the number of Mytob clones in our rating almost half of the total: 9 positions out of 20.

In the rest of the ratings, two other newcomers are of some interest: the Scano email worm, in the form of variants .ag and .ab.

Scano is relatively new on the virus scene. In April we saw Scano.e reach the 14th position. This malicious program builds on the ideas implemented in the Feebs worm, which first appeared in the winter of 2005. Scano, however, differs from Feebs in that it includes a polymorphic JavaScript dropper, which delivers the worm to its victims. Polymorphic technologies are becoming increasingly popular among virus writers, because the previous methods used to conceal malicious code from antivirus programs have become almost totally ineffective.

Now Scano.e has left the stage and has been replaced by two newcomers, which took the 15th and 19th positions. In all probability, they will follow the older variant into oblivion in June, but it is doubtful that Scano will leave the Top Twenty completely: the author of this worm is highly productive and releases several new variants a week.

Other malicious programs in the Top Twenty accounted for a significant percentage (18.79%) of all those intercepted, which means that there are also numerous worms and Trojans belonging to other families still circulating in mail traffic.

Summary:

New Mytob.eg, Scano.ag, Scano,ab
Moved up LovGate.w, NetSky.q, LovGate.ad, Mytob.u, Mytob.a, NetSky.y
Moved down NetSky.t, NetSky.aa
No change Mytob.c, NetSky.b, Mytob.t, Mytob.q, Mytob.w
Re-entry LovGate.ah, NetSky.x, Mytob.x, Mytob.bx

Virus Top Twenty for May 2006

Your email address will not be published. Required fields are marked *

 

Reports

BlindEagle flying high in Latin America

Kaspersky shares insights into the activity and TTPs of the BlindEagle APT, which targets organizations and individuals in Colombia, Ecuador, Chile, Panama and other Latin American countries.

APT trends report Q2 2024

The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox