Virus Top Twenty for November 2004

4+4I-Worm.Zafi.b7.83%

Bagle.at has finally made it to the top of the ratings this November. Bagle.at and Mydoom.ab appeared at the tail end of October (numbers 14 and 7 respectively), but both worms really gained ground only in November, heading the list as a result. Moreover, Mydoom.ab joins 2004 record holders for jumping 12 places.

On the whole, November marks the end of the NetSky monopoly, with 4 new worms making their first appearance to push NetSky variants aside. Bofra.b and Sober.i are undoubtedly two of the more interesting examples.

Bofra.b is based on Mydoom source code, but the alterations are significant enough to create a separate family. The naming of Bofra was a joint effort among antivirus vendors; for a long time many vendors thought that the worm was simply a new version of Mydoom. However, it was eventually agreed that the worm was a new malicious program which deserved its own name. This decision was reached because Bofra penetrates computers in a different way to Mydoom. It launches a http server on the victim machine, and a specially constructed html page is placed on this server. The htmp page is coded to exploit the IFrame buffer overflow vulnerability in Internet Explorer. The emails that Bofra sends don’t have a copy of the worm attached – instead the message contains a link to an already infected machine. If the user clicks on this link, their machine will call the infected page, and Bofra will penetrate the computer.

Sober.i is another interesting novelty in this month’s top twenty. Millions of users (mainly in Germany and Austria, but also in other European countries) were spammed with this latest variant of the worm, which caused a brief epidemic. This outbreak was shortlived due to errors in the worm’s coding – these errors were present even when Sober first appeared at the end of 2003. This causes the worm to send meaningless data by email, instead of its own body.

Zafi.c, which was first detected in October, didn’t make it into the Top Twenty. One of its forerunners, though, gained four places, and almost gained a place in the top three – shades of summer 2004, when it lead the ratings.

The Korean worm, LovGate.w has been resident in the Top Twenty for a long time. However, this month it also appeared in a new form – LovGate.ad. This variant was detected in July 2004, but up until now hasn’t made the ratings. In contrast to all the other worms in this month’s top twenty, it wasn’t spammed, but uses a more classic propagation method – spreading initially from a small number of infected computers, then gradually picking up momentum. The fact that LovGate has taken 6th and 18th place this month is evidence of the fact that such propagation methods are still effective.

This month’s top twenty is made up exclusively of email worms. However, November was a month which saw more than 40 phishing attacks, with the phishing emails being spammed widely. In terms of volume, many of these emails are almost candidates for the top twenty. This is disturbing, as such emails are sent once, in contrast to a worm which sends out millions of copies of itself – we can therefore conclude that phishing attacks are now almost comparable in scale to worm epidemics. Because of this, the next top twenty may well include some of the malicious programs used in phishing attacks.

Other malicious programs not listed here made up 8.89% of all the virus traffic. Overall, more that 200 distinct malicious programs were detected in mail traffic over the last month.

Summary: