Malware reports

Virus Top Twenty for May 2007

Position Change in position Name Proactive
Detection Flag
Percentage
1. No Change
0
Email-Worm.Win32.NetSky.t Trojan.generic 15.31
2. Up
+1
Email-Worm.Win32.NetSky.q Trojan.generic 14.76
3. Up
+1
Email-Worm.Win32.Bagle.gt Trojan.generic 13.46
4. New!
New!
Email-Worm.Win32.Sober.aa Hidden Install 11.86
5. Up
+1
Worm.Win32.Feebs.gen Hidden Data Sending 6.49
6. Up
+6
Email-Worm.Win32.NetSky.aa Trojan.generic 5.44
7. No Change
0
Net-Worm.Win32.Mytob.c Trojan.generic 3.33
8. New!
New!
Trojan-Downloader.Win32.Agent.bqs * 2.44
9. Up
+1
Email-Worm.Win32.Scano.gen Trojan.generic 2.22
10. Down
-1
Email-Worm.Win32.NetSky.b Trojan.generic 2.20
11. New!
New!
Virus.Win32.Grum.a ** 2.18
12. Up
+7
Net-Worm.Win32.Mytob.t Worm.P2P.generic 1.63
13. Up
+4
Email-Worm.Win32.LovGate.w Trojan.generic 1.34
14. Return
Return
Net-Worm.Win32.Mytob.dam [Damaged] 1.18
15. Return
Return
Email-Worm.Win32.NetSky.x Trojan.generic 1.17
16. Down
-3
Email-Worm.Win32.Mydoom.l Trojan.generic 1.12
17. Return
Return
Exploit.Win32.IMG-WMF.y *** 0.99
18. Down
-2
Email-Worm.Win32.Zhelatin.dam [Damaged] 0.72
19. New!
New!
Email-Worm.Win32.Warezov.ns Invader 0.62
20. New!
New!
Virus.Win32.Cheburgen.a ** 0.57
Other malicious programs 10.97

* — this is a downloader for Email-Worm.Win32.Warezov. It is detected as Invader.
** — PDM is not designed to detect classic viruses.
*** — WMF graphics file.

A first look at the top of the table for May might give the impression that we’ve slipped back in time to the end of 2005. You can rub your eyes as hard as you want but it won’t change anything – Netsky, Bagle and Sober are topping the rankings again, just as they were a few years ago.

We could have seen this coming. Netsky.t and Netsky.q have been among the leaders in our Top Twenties for quite a while now; Bagle.gt has spent several months now moving up the table towards the top three, and fourth place this month was unexpectedly taken by Sober.aa. The first samples of this worm were detected by Kaspersky Lab analysts on 7th April 2007. This may not seem very significant, but the previous version of this worm, Sober.z, dates back to the middle of November 2005! More than a year and a half has passed since then. Sober.z was one of the most widespread worms in its time – it seemed then as though the German police were hot on the unknown author’s tracks, and that an arrest would be imminent. However, nothing happened, and now someone (perhaps someone different from the worm’s original author) has released a new version of this old email worm. The result is clear – Sober.aa, a primitive worm, has been able to squeeze out worms with far more advanced functionality, and it may well climb higher in the ratings in months to come.

The Warezov and Zhelatin worm families are among the victims in this latest struggle between viruses. Warezov.ms, which came second in the April Top Twenty, has fallen off the bottom of the table, and Warezov.ns, which came to take its place, wasn’t able to rise higher than the very modest 19th place. However, Trojan-Downloader.Win32.Agent.bqs has raised a red flag – it was mass-mailed on 24th May and has risen to 8th place in the May Top Twenty. This is a warning sign as it’s Agent.bqs which downloads new versions of Warezov to victim machines, creating a potentially huge epidemic and a gigantic botnet.

In May phishers were less active than in April and March. There’s not a single phishing email in the entire Top Twenty this month. However, this is clearly a temporary phenomenon and phishing attacks will undoubtedly be back to take their place in the rankings of the most common threats in mail traffic.
Interestingly, tenth and twentieth place this month are two classic file viruses, Grum and Cheburgen. File viruses are not typical for the Top Twenty but gained their place due due to an peculiarity of the life cycle of a file virus. Just as happens in the natural world, Grum and Chebrugen are effectively parasites. They aren’t able to spread by themselves, either via the Internet or across local networks. However, they are extremely aggressive and will infect all files on the victim machine indiscriminately. As a result, email worm files on the victim machine will be infected. And the consequence is that an infected message sent from the victim machine will contain a ‘sandwich’ – a worm file which is also infected with a file virus.

Other malicious programs made up 10.97% of all malicious code in mail traffic, indicating that there is still a relatively large number of other worm and Trojan families in circulation.

Summary

  • New: Email-Worm.Win32.Sober.aa, Trojan-Downloader.Win32.Agent.bqs, Virus.Win32.Grum.a, Email-Worm.Win32.Warezov.ns, Virus.Win32.Cheburgen.a
  • Moved up: Email-Worm.Win32.NetSky.q, Email-Worm.Win32.Bagle.gt, Worm.Win32.Feebs.gen, Email-Worm.Win32.NetSky.aa, Email-Worm.Win32.Scano.gen, Net-Worm.Win32.Mytob.t, Email-Worm.Win32.LovGate.w
  • Moved down:Email-Worm.Win32.NetSky.b, Email-Worm.Win32.Mydoom.l, Email-Worm.Win32.Zhelatin.dam
  • Re-entry: Net-Worm.Win32.Mytob.dam, Email-Worm.Win32.NetSky.x, Email-Worm.Win32.Warezov.ns

Virus Top Twenty for May 2007

Your email address will not be published. Required fields are marked *

 

Reports

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox